I've got some info...
The "NTP bug" silent security update referred to in
Apple pushes its first ever silent, automatic security update to Mac OS X... is listed in
Apple security updates (2014), while the similar "Gatekeeper" update referred to in
Apple pushes silent security update is not
specifically listed in
Apple security updates, nor is it
obviously included in
About the security content of macOS Sierra 10.12.4, Security Update 2017-001..., which was released 4 days after the update referred to in the article.
The first linked article includes
In any case, Apple thought this was a good opportunity to try out OS X’s automatic silent-patching mechanism. The feature has been present in OS X for at least a couple of years, but Apple says this is the first time it has ever been used.
and
According to Apple PR, the security update (which is rolling out right now), “is seamless. It doesn’t even require a restart.†Apparently, when it’s your turn to receive the update, it will download and install automatically — the first you’ll know about it is a confirmation box after the patch installs, telling you it was a success.
That very strongly suggests to me that the updates in question cannot be "turned off"...that they're considered so necessary that Apple has built a backdoor into OS X/macOS to ensure that they can't be ignored.
Any additional info and/or insights will be appreciated.