I pick 1,2,3. I don't think there is any reason not to apply critical security updates. You could skip on milder security updates due to the possibility of something breaking, but to never update any packages Windoze-style is just gross ignorance IMO. Those people deserve what is coming to them.

Granted I started with Linux due to a work project long ago and worked with it as an OS for custom devices long before I used desktop Linux; however the main reason I switched my home and primary work desktop to Linux was because of all the Windows problems with malware, adware, and etc.

But ... you know? Upgrading, not upgrading (and mostly NOT) I have NEVER run into a situation where Linux has screwed me, or a case where some security hole has been my downfall.

Maybe that's complacency where I'll end up regretting it, but usually I'll see evidence that security has become an issue for Linux as of late and that will raise my antenna enough for me to change my ways.