My personal take is to always install security updates within a few days of release, just enough time for any big bugs (which don't often come in the SECURITY updates, most buggy updates I've seen have been buggy feature updates) to be detected and discussed online. I never do any non-security updates for windows, sometimes there are some which may fix certain bugs, but I've never experienced any of those bugs so have no need to fix them. I avoid feature updates too. What this means in practice thesedays is that I make an approximately monthyl visit to microsoft's update catalog website and download the .msu file for the "security only" update, which I then install. I hide the roll-up updates (which have security plus huge amounts of new feature components and some non-security bug fixes) when they appear in windows update, which I keep set to "check for updates automatically but ask me whether I want to download them", this way I don't fail to know when updates are available but I can veto the ones which I don't want.
Ghostbusters2, you did what was right for you in terms of removing and not installing the telemtry, GWx and feature updates, but you really need to be installing the security ones. (Assuming you are on windows 7/8/8.1) Thesedays you can't get the security only ones via windows update, you must let windows update check for updates, then when it alerts you that there are some follow the "more information" link which will open up a page with infromation about the update in your default web browser. On that page look for the security only update with the same date as the monthyl rollup, then go to it's page and follow the link from there to the microsoft update catalog website from which you can download a .msu file which when you open it will install the security only update for you.
P.S. Regarding "I had originally set it to "Download updates but let me choose whether to install them" but I discovered that this option can't be trusted and will still automatically install certain updates.". I've heard people talk of this but never actually seen it for real, it's always sounded a nasty possibility but I've generally thought that it cannot happen band rather that the people saying this have made a mistake somewhere or that updates had already been downloaded before they switched to "check automatically but...". I would like to know more about what happened with your system when this occured, so I can work out which is the case.
Edited by rp88, 11 December 2017 - 06:25 PM.
Back on this site, for a while anyway, been so busy the last year.
My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB