By default, many distros already install urgent security patches automatically. I'm pretty sure Debian does it for me, but I cannot remember all of the details.
In 2021, "absolutely no auto-anything" seems to guarantee your host will fall out of compliance and fall prey to hackers. How do you respond?
To me it seems like there is a different trend happening - Ubuntu now has snaps which auto update and you no longer can get some software without them, whereas even Debian comes with unattended upgrades enabled in some cloud vendors.
Of course, only security update being enabled isn't such a bad thing, but in my experience and and all updates can break things sooner or later.
1. Only distribute Free/Open Source software.
2. Only distribute software that somebody is there to package.
3. Allow the users to install other software and shoot themselves in the feet if they so desire.