That isn't necessarily true at all. Indeed, the basis of this very story is that Microsoft has been providing updates for older versions of Windows that included only the security patches (i.e., not new features, telemetry, and any other stuff that might change the behaviour of system in ways its user doesn't want). In terms of your "vaccination" strategy for the Internet, these patches are the ones that matter.
However, in this case, Microsoft might have bundled one of the things that people have been trying to opt out of -- telemetry -- into one of the updates labelled as security only. If they really have, that would be a further significant breach of trust, and given their recent track record with pushing telemetry, GWX and so on, a lot of people are no longer even willing to give them the benefit of the doubt, to the point that some people are no longer applying updates from Microsoft at all, in some cases including security updates. That is bad for almost everyone, and it's been directly caused by Microsoft's repeated abuse of the update system to push user-hostile changes.