I do not permit automatic updating, from Apple or any source. All updating has to be instigated by me on a case by case basis.
(See Software Update under System Preferences.)
(Software Update prefs are found under System Prefs > App Store in Sierra, but I think they're still the same as in earlier OS versions.)
I'm fully aware of that pref, and I've got "Download..." checked, so my updates wind up in /Library/Updates until I deal with them, but there was
at least one instance (within the past 18 months or so) in which Apple circumvented my pref and pushed through a critical security update of which I wasn't aware until I read about it after the fact.
I doubt that your pref setting prevented it any more than mine did, but perhaps someone knows better.