Can I play devil's advocate?
Hands up all those sysadmins here who always patch their Windows servers every 2nd Tuesday of the month? How about those who patch their RHEL6, CentOS, or other *nix boxes fequently?.....any takers?
On the presumption that there aren't too may takers (and from what I've seen that's a fair proportion of corporate systems), can I ask a rhetorical question: Why?
Having asked it, can a presume to suggest an answer: because introducing new patches needs to be tested and may introduce an unknown security or reliability issue.
So, what's different in the "home PC" market? Financial losses are lower if it goes pair shaped; average user experience is lower, complexity is lower, but most other things in terms of patching are similar.
So....why are residential users encouraged with an almost religious zeal to patch while sysadmins get a nod. Perhaps because the sysadmins are paid to take the risk, perhaps because given the lower average user experience with residential systems the balance of risk is to install rather than not.
My point is, there is no black and white. Everything is a shade of grey. Not patching as per JPF's approach is a valid work practice in certain circumstances. However, as noted in my earlier post, there are some patches that warrant installation even if nothing is broken on the local machine (As is the case with the OP's reference to the forged MS Certs).
My approach for the experienced user is to help them understand how to make a judgement on whether to install or not. True enough there are some circumstances where I might say "yes, always install Windows Updates", but those users are the least experienced and the balance of risk falls squarely on the install side. Just the same, there are commercial clients that I work with where each patch is investigated on it's own merits analysing the risk of not installing against risk of impact if they do install and it breaks something. Some clients have a formal sign-off by senior staff in the IT group before any patch is installed.
In my book there are risks and the potential for trouble with both blind adherence to patching and a never-patch ideology. I consider a judged position to be the best option. At least then if something goes wrong, the user may have an idea why and how to fix it.
So, while I don't agree with JPF's approach to patching in most circumstances, I at least acknowledge it is as a result of a rational thought process and backed up by knowledge and understanding of how to manage a system.
None are so hopelessly enslaved as those who falsely believe in NIS (or McAfee or Trend Micro, or,or,or)...or System Patching.