i disabled updates on W7 for most of my clients years ago because MS updates caused WAY more problems than they solved.
their systems are secure because i always establish a Limited User Account that they use for their work, in addition to a default administrator account that they never use themselves, and which is used exclusively by me for software/printer adds/removes/updates ...
I've been retired for a few years from IT support so I am not current on all the issues other than supporting my own and family member's machines. That said, I've never been hacked following proper computing practices and doing updates in a timely manor. There are valid reasons not to do OS upgrades and updates because of cost or totally breaking a critical application. If I were to run a private consulting business, I would get it in writing that is OK the customer accepts the risk..