Sorry, I'm not sure I'm parsing this right, you're saying "security updates are necessary and I as a user am going to have worse outcomes for not updating my stuff"?

My personal experience does not match this at all, so is the explanation there that I'm just lucky?

Sorry for the reply to my own reply here but I'm genuinely incredibly curious for someone to explain to me why updates are necessary. It really seems like a cargo cult thing to me but I'm not the smartest person and if someone can explain to me where I'm doing my threat model/attack surface analysis incorrectly I'd love to learn.

>I'm genuinely incredibly curious for someone to explain to me why updates are necessary.

Because software is never finished. There are always bugs to fix, new platforms to support, new features to be added, more polish to be added, etc. It is the developers goal to have the quality of their software to go up over time.

It is in developers interest for their users to remain secure, not experience bugs, have a good experience, and to solve a problem or need they have. Updates to applications try and address one or more of these things.

If making the user's life better is a cargo cult thing. Then maybe that cargo cult isn't such a bad thing.

If you are specifically talking about why should you care about a chrome 0day patch because you've never visited a shady site that tried to exploit it then the reason is that it's important for the ecosystem to be seen as secure. You want to make it as least financially viable to exploit Chrome as possible, you want to ensure people think of the web as a secure platform they can use without being afraid, as Google you want to avoid bad PR about a big hack. The first point is important. You want to increase the customer acquisition cost for an attacker which is "the cost to get a visitor divided by the chance a user's browser has not gotten the patch yet." (In proctice different demographics may have different patch rates which lowers the CAC my targeting that demographic) Google's lever for increasing an attacker's CAC is to use autoupdates to lower the chance. When CAC > LCV (lifetime customer value) then the attacker does not have a financial incentive to compromise users and this results in a large drop in the rate of attacks. The required updates remove the incentives to use the attacks which is why you feel like you aren't being targeted.

It's like how some management don't understand the value of a system administrator because when a system administrator does their job correctly everything appears to just work. When security updates are properly going out it may feel like they are unneccessary, but that just means that the defenders are doing a good job.

In the first bit you have not described why updates are necessary, you've given some reasons why updates can be useful. Opting into updates sometimes is fine. The context of the parent and grandparent posts is specifically security and security updates.

Security wise for most applications there's the oft overlooked possibility of just not connecting to the internet. Though when it comes to my personal experience running antivirusless Windows with updates disabled it has not been a problem for me for a decade now. According to my router I'm not part of a botnet either. It just doesn't seem necessary at all. Your attack surface as an individual on a reasonably well secured network is minuscule and your threat model is basically just the background radiation of bots trying whatever random exploits. Sure, I keep my router patched because it's on the edge, but other than that it doesn't matter.

Though I will give you that browsers are a special case where the tool is specifically used all the time to connect to potentially hostile content and give that content the ability to execute code on your machine. Things on the edge are a scenario where keeping up with security patches actually make sense.