[rkagerer]

I've encountered a lot more grief from ill-managed updates - and abuse of their delivery mechanism as a perverse means to shove unwanted software down my throat - than from the impact of any security incidents arising out of missing, delaying or contravening one.

The first issue is you don't meaningfully control the timing (ie. defer until you have time to deal with any fallout, which may be >30 days), and that you can't manage your risk by reviewing what's in them and selectively picking the ones you want (ie. true security fixes with limited surface area to bork things).

Once upon a time both those things were easy (eg. meaningful descriptions) and under your control.