>>the developer releases a general security update that applies to everyone, you'd be fine with your host disabling essentially your entire site until you fixed it?
It all depends on the TOS from the host. Maybe the host declares that they disable clients that are contributing to (or may contribute to) network abuse. Unpatched machines will get compromised and become launchpads for attacks on others.
>>And if you're on vacation for a week or two when it happens? What then?
Would you rather come back from vacation to a disabled but uncompromised site, or to a enabled but compromised site? For the first case, you'd need to apply the updates and then restart the server. For the second case, you'd need to scrub the machine, re-install all your software and customizations, then restore your databases and content directories from backup.
>>I rather like the fact that the stuff I run can essentially sustain itself in my absence.
The point is, it can't. You can't secure a box and walk away for days/weeks/months. You need to be actively maintaining your servers.