Well, you're between a rock and a hard place. No auto-update = security risk exposure, auto-update = stability risk exposure (and sometimes security risk exposure thrown in for free as well).
If the only externally visible service you run is sshd then how important is it to auto-update for security reasons? (Also considering that security risks in sshd are almost guaranteed to end up on the front page of HN, so you won't miss it).
