For one thing, patches are ineffective against a bandwidth consumption attack.
Then updates don't matter and shouldn't be forced.
I was unclear. Against a bandwidth consumption attack, patches to the machine that is the ultimate target of the attack are ineffective, but patches to the machine that would form part of the botnet are effective.
I'm told a lot of these attacks target Internet-exposed devices other than PCs, such as modem-routers and older smartphones.
Then that has nothing to do with Windows updates and they shouldn't be forced.
They have much to do with Windows updates if a botnet is used to "target Internet-exposed devices other than PCs", and the machines that would form part of the botnet run Windows.
How do you think new vulnerabilities come about?
New vulnerabilities tend to be introduced with new functionality, not with patches focused solely on security.
The user is the only person who should get a say in what happens on their computer.
By that reasoning, the user should be held responsible and liable for all use of the user's computer as a botnet agent. If someone adds your unpatched computer to his botnet, and someone uses your computer to DDoS someone, you should go to jail for recklessly participating in said DDoS.