...and to add to that, all servers have an Apt proxy setting pointing them to a squid proxy, so security.debian.org doesn't get hit hard either - this is something that anyone can do, even without a local mirror.
The whole system was not described in one measly little
We're a university - we run a local Debian mirror.
As another "sub 7-digit guy" - there is a reason for this... There is no way I'm going to let over 60 servers automatically install patches without me checking them first! Download, yes. Install, no.
At work we use cfengine to manage the servers, with a home-built script that allows servers to install packages (of a specified version). Package is checked and OK? Add it to the bottom of the text file, GPG sign it, and push it into the repository. cfengine takes care of the rest (our cf system is slightly non-standard, so everything has to be signed and go through subversion to actually work).
So that's about 8165 x 6124 at your standard 4:3, and an image of approx 27" x 20" when printed at 300dpi...
If you think the system is working, ask someone who's waiting for a prompt.