In theory, and practise
Currently, I'm a sysadmin of the firm I work for, and a number of our customers.
Regardless of the network set up, bandwidth, automation, best practise and all the money/time in the world thrown at it, MS still struggle to release TESTED patches.
Scenario : Patch Tuesday comes around, MS release 60 patches for Office, 20 for Servers 2008 -> 2016 (applicable for x64 infra), and Adobe throw in some for good measure. These get approved when they appear on WSUS.
End Result : Patches get rolled out, finance complains because scripts to integrate the financial system and Excel for reporting doesnt work anymore, web services stop working because you're running them compliant to .NET 3.6 but they rolled out .NET 4.2 and your other software companies haven't yet updated their application to work with it.
Sysadmin spends a couple of hours patching, several hours unpatching, meanwhile getting blamed for being out of scope/GDPR compliance on system security and integrity.
OR
Everything goes through fine, no problems reported, but all of your clients stop reporting to WSUS because the patch wasnt tested with WSUS deployment (NO, Not everyone wants to use InTune/SCCM!!) and now you have to manually patch all the clients to get them reporting again.
Oh and dont forget, auto deployment of the 6 month updates to Windows is bad for on call users. Best to do that manually.
As above, sysadmins seem to get a lot of the blame and responsibility when we are only responsible for the maintenance and upkeep - not actually developing these patches.
And don't get me started on testing procedures in small companies....