It is the biggest threat to your computer.
This is simply false. You seem to be committed to it, though, so I won't try to change your mind. I will just point it out for other users who happen to read the thread.
No spectre or meltdown viruses exist.
You literally do not know this, so I don't know why you keep saying it.
What are the odds that if you downloaded the patch it would screw your PC up? Quite high. Look at all the people being effected by these updates. Millions of them.
It isn't quite high. You are simply using this as an example to make a blanket statement. Thousands of patches come and ago without issue. Again, waiting a week wouldn't cause an issue, as you'd see that there is a chance this particular patch could cause a problem. The patch gets pulled, and a better one is released. You don't have to be bleeding edge, but 3-6 months is an arbitrary time frame made up by you, and doesn't comply with any sort of best practice.
I might also add most viruses are rather benign. A keylogger, a browser hijacker, and trojan. All these things are very fixable.
Whatever the risk is worth to you I guess. The bad guys only have to get it right once, and then you are dealing with stolen identity issues for the next 5 years.
You are just wrong. You picked examples like the NHS and those are entities that are several years behind with updates.
You suggesting that I am wrong shows your ignorance once again, and I would caution anyone reading to question your advice on anything I.T. related. In this SMB case, Microsoft released a patch 2 months or so before the first major attacks. You pretending this isn't a risk is irrelevant. You don't have to be years behind to be impacted, as evidenced by this specific example.
Not 3-6 months. Many companies take at least 6 months, just to finish testing for compatibility with in-house software. They aren't installing next day updates. That is not anecdotal ... that is industry standard. You don't run bleeding edge updates in large organisations.
Bleeding edge is updating prod the same day a patch is released. Companies may have 3-6 month delays, but it doesn't change the fact it is bad practice, and likely driven by inefficiency. And it isn't an industry standard, stop making things up. I've worked for plenty of very large organizations, and we rolled about a month behind, sometimes 6 weeks for extra change management.
There is no need as a home user to be up to the minute. You only run the risk of installing a botched update, the prevalence or which has increased dramatically of late. You aren't likely to be able to test it and find such errors yourself ... just let large corps do the work, let those who claim vulnerability bounties knock themselves out testing ... and when the coast is clear 3-6 months later ... install.
I agree not "up to the minute." For some reason you seem to suggest there isn't a middle ground between the day a patch is released and your arbitrary "3-6 months."
Obviously we aren't going to agree on this. I am just compelled to point out that you are suggesting bad practices. People and businesses can weigh the risk and make their own decisions, but to try to pretend a bad practice is not a bad practice because of $REASON is juvenile. To call it a "standard" is dishonest and speaks to limited experience. Again, people engage in bad habits all the time, but they should at least be self-aware that it is a bad habit and not try to pretend otherwise.