I have heard this complaint uttered for years and many versions and to this day, I still don't understand why someone would avoid updating their OS with the exception of enterprise users who have to update many machines at the same time and with specialized programming.
Sure, I can envision a update that fails, or a application that reacts badly to a security patch, but in all these cases, you fix the application before you let your machine run with a known vulnerability.
I just can't wrap my arms around this anti update sentiment.
Full disclosure: I think that if it was done right, a regular stream of security updates to a widely used consumer OS would be terrific and nothing short of a boon to the user.
Problem is, it can’t be done right within the context of Windows.
Done right, it would not require a reboot except for extreme patches to the inner kernel, as Linux and Unix do. Reboots are disruptive and it is only the poor architecture of Windows that makes them necessary with every update set.
Done right, it would not break things, applications in particular. But Windows forces applications to do things in a way that makes them more fragile.
And so on. I’d love it, if it could be done right. Alas, no such luck.