For general information, if you're installing a fresh Windows 7 now (starting from SP1, presumably) then it seems by far the fastest way to get a system reasonably well patched is to install the Convenience Rollup (KB3125574) and if necessary its prerequisite (KB3020369) from the Microsoft Update Catalog. That immediately brings you up to somewhere around April 2016 in terms of patch level, and you can download the required files quickly from the Catalog site and then install them locally using WUSA without waiting around for hours while Windows Update does whatever its current broken mess needs to do now. The most recent time I did this was just a few days ago, and after doing that it was then another couple of hours for Windows Update to find the rest and install the remaining security updates, but at least it could be done in an afternoon instead of leaving the new PC overnight and hoping it might have found something by the morning. Spybot Anti-Beacon or some similar tool can still turn off the various telemetry junk that you can't now individually because it's all bundled into the CR update.
Incidentally, for those who would prefer to keep security patching their existing Windows 7 systems but not get anything else, there are reportedly (direct from a Microsoft source) going to be monthly security-only bundles as well, but you'll have to get those from Microsoft Update Catalog manually as well, they won't be advertised or pushed out through Windows Update. So it looks like the new SOP is to turn off Windows Update entirely (as a bonus, you get back that CPU core that's been sitting at 100% running the svchost.exe process containing the Windows Update service for the last few months) and instead just go along and manually download the security bundle each month to install locally.
Of course, Microsoft Update Catalog requires Internet Explorer 6.0 or later and won't run with any of the other modern browsers, but I'll live with using IE to access it if it means I get security-patched but otherwise minimally screwed up Windows 7 machines for another 3 years.
Also, it's been confirmed that this policy will apply to all editions of Windows 7. It's not an Enterprise-only feature and doesn't require the use of WSUS etc. Let's hope they stick to their word on this one.