This is an old discussion, really. Somehow, Fred is always involved in it .
I have said before and will say it again. Advising not to patch is quite risky. What if someone so advised, gets infected and comes here and complains about bad advice?
The "stable and working" argument misses the point, hugely, IMHO. A security bug most of the times has no impact on functionality. So, unpatched system will be stable and working ... and vulnerable. Most of the hugely advertised security attacks take advantage of "old" security vulnerabilities. Take the much "popular" Stuxnet and Flame, for example. The problem with reactive protection is that they look of signatures of known attack malware. That's why it is advantageous to plug the original hole, other than put a "police" officer making sure no one gets in through the hole. He may fall asleep or not recognize a rogue attempt to use the hole. Even other types of protection may not be effective against unknown malware.
The fact that one specific person took a given strategy and that has worked for that person is statistically irrelevant. Jokingly, I would say that it somehow makes me remember a portuguese joke about a guy that was shaking arms and legs wildly in one of the main plazas in Lisbon. When asked about the reason for his behavior, he simply answered he was trying to scare crocodiles away. When someone remarked that there were no crocodiles there, the person's response was immediate - "see how this strategy is effective?!!".
Of course, there is no guarantee that patched systems will be always immune to malware and there is no guarantee that the patching process itself won't create problems of its own - some people die or get seriously ill from vaccines. We all make decisions based on probabilities, every single day, most times without even thinking about it. On a forum like this, all we can recommend is best practices. Statistics are well supportive of best practices.
That said, I also think the recent versions of NIS are better than the older ones, that basically wrecked NIS reputation. They are lighter and much more effective. Do they avoid the need for patching? IMHO, no.
I use two paid apps from Emsisoft, which frequently rank among the best in the market and I still patch. It's all about probabilities. It's my own crocodile scaring strategy and I can say it does work for me and the people I advise, even those who are not computer literate.