Microsoft announced this week, via a blog by Senior Escalation Engineer Stefan Goßner that SharePoint CUs will be included in Windows Update. The comments on that post indicated the risk for many SharePoint deployments.
In summary, Stefan acknowledges that due to the number of configurations possible with SharePoint that no guarantee can be made about causing issues in existing code (called a regression). Stefan also points out that production servers should not take updates directly. While many agree with this position, I find that small business administrators (who deal with everything, not just SharePoint) are not well versed in SharePoint patching and just accept the default values.
So, if this situation applies to you, I suggest you look at your Windows Update settings. I'm off to update my DSC configuration to make these changes to my VMs.