If I'm being really frank, are system updates not more disruptive, destructive and result in more data loss and downtime than all the attacks you'll experience in your lifetime? (unless you're a high value business target ofc, I'm talking for personal machines)
In my book, having unattended-upgrades or windows update run amok on your system is functionally worse than a rootkit.
This is why you always have a test environment and good, tested backups that are easy and quick to roll back to. Even if something makes it past test (or there is an install problem with a patch that is otherwise fine) you can just roll back.
For personal machines without those resources you are a bit of a hard place - although many OS and software these days have long term stable versions and the ability to defer auto patches by a week or two
This. Lost hours from the hours running the updates, lost hours from the occasional faulty upgrade, and every now and again it's fail spectacularly and need a restore from backup to return to productivity. No matter if it's Ubuntu LTS or non-LTS, every six months there's always something radically changed. OpenSUSE Leap has the same problem. I'm looking at Tumbleweed but a new version every week is going to break occasionally. Gentoo build-from-source is going to have weirdness every now and again, if not utter ruin. MacOS updates yearly, and brings horrors with every point zero release. Windows is Windows, and those problems are well known. I don't think there's a way around it with the current offerings.
It's a problem we have to live with for the sake of progress and for security updates. Every machine needs downtime for maintenance on a periodic, often-scheduled basis. It might cost time but avoiding updates is not a good plan.
Aside from dodgy updates that have to run as root to install, if you have passwordless sudo it's more dangerous than any broken package or local-only privilege escalation exploit. I'll wager many have it set up that way, because typing passwords is tiresome.
In my book, having unattended-upgrades or windows update run amok on your system is functionally worse than a rootkit.