Re: @AC who won't install an update without knowing what is in it
So I guess you never install Microsoft security patches, at least those that say nothing about what is being fixed, just that it is security related?
Hmm, which part of "it's one of the reasons I abandoned the Microsoft game" was unclear to you? Let me help you a bit: false flag updates. Updates that purport to be for security, but in reality sneak in stuff we absolutely don't want. If you think Win10 up-, sorry, downgrades are the only thing to sneak in via that channel you must be new to IT and to Microsoft's illustrious history.
To be fair, the most blatant example of that didn't come from Microsoft recently, but from Adobe when they updated the Acrobat Reader from version 11.0.1 to the "DC" version as a "security" update, but which also casually required you to accept new Terms & Conditions that made even Google's look benign (you basically agree to allow Adobe Reader to become a side loading channel for advertising). Needless to say, that went straight on the blacklist, so the few systems that have Acrobat Reader installed remain with v11.0.1, and we elevate the controls on its use to manage the resulting risk. We haven't quite finished evaluating if we need it at all, it is quite possible we even uninstall those last ones.
The latter also answers your question: yes, if we find something we don't like we will evaluate the risk of both upgrading or not upgrading. Apple has in that respect been rather straightforward - we have as yet not come across any creative side loading in either OSX or iOS.
The only pain is that their patches typically do the whole OS, so you always take a hit of between 2 (iOS) and 6GB (OSX) per patch and most of the times you'll face a reboot. Windows users are used to that, users of any Unix variant (in which I include OSX) not so much.