They may not keep all of the software on your system up-to-date. Even if they patch most of your applications, some applications may be managed by other update tools. Some may not have any auto-update facility at all. For this reason, automatic updates can create a false sense of security if you rely on them alone.

Automatic updates usually can’t update firmware or other special types of files. These updates need to be applied manually, or via special tools.

Updates that haven’t been properly vetted can sometimes cause problems. There are no shortage of horror stories (like this one) about severe problems caused by an update.

An up-to-date system is not necessarily immune to every possible security vulnerability. There may be undiscovered vulnerabilities that have not yet been patched. This is another way in which update tools can breed false sense of security.

Updates often take a long time to download and install. In the meantime, normal workloads are interrupted. It is usually not possible to know exactly how long an update will take until it is already in progress, and some update tools don’t let you configure which times of day updates are applied.

Critical security vulnerabilities. Fixing known, zero-day security problems automatically is worth the risk and possible disruption to workloads because the risks of these security vulnerabilities are too great.

Operating system updates. Patches for the operating system itself are usually well tested by vendors. They are less risky to apply than application updates, which may or may not be thoroughly vetted before they are pushed out.

Updates for systems that can easily be rolled back. The ability to “roll back” a system — meaning restore it to a previous state in time — is a handy safeguard against updates that go wrong. For systems that are virtualized or use containers, roll backs are often easy to perform because virtual disks or container images can be reverted to earlier states. (Some operating system provide their own roll back features, but these tend to be less reliable.)

Updates to firmware, peripheral devices, network switches and other types of software that cannot be automated in a reliable way.

Non-critical updates. Either apply these manually, or wait a little bit before applying them automatically, so that the kinks can be rolled out.

Updates to systems that need to be highly available. The last thing you want is an update that brings a critical server down while the update is being installed. If your servers are going to crash, at least let it be for a better reason than an update.