[lkbm]

Neither.

1. Bundling them -- it should be trivial to turn off all non-security updates while still getting all security updates.

Counterpoint: There might be no unambiguous distinction between security update or non-security update.

2. Not having them. WannaCry was so bad because Microsoft stopped providing security updates for a system that's still widely used.

Counterpoint: It seems odd to insist Microsoft continue to provide updates to a fifteen-year-old system they end-of-lifed three years ago. Should we be able to force them to keep providing updates indefinitely by steadfastly refusing to upgrade?