My advice is to change the Windows Update (WU) setting to never.
It really depends on where you want to be with your Windows 7 system.
Woody Leonhard has described the situation something like this. Note, I am using my own words here and describing it from my own perspective:
Group A: Roll over and just let MS install what ever they wish on your computer and just don't worry about privacy and the spyware they will install. With this option you leave WU as Delayed start, and set the WU setting at Recommended. This is the easy way and requires no effort or concentration. You just let happen what will. This is essentially what you have with a Windows 10 system.
Group B: Refuse to accept any updates except Security ones. In that case you follow my initial recommendation and leave WU set at Never. You get the Security only updates from the "catalog". There is risk here in B. You are trusting that MS will not put anything in that group that does things you do not want done. A sort of level of trust in MS that I am not sure they deserve. Keep in mind that they have done the same thing with this set of updates they did in the main one. It is all one agglomeration of whatever number of security updates they decide to put in it.
Group C (AKA W): Shut down WU permanently and never again accept a Windows Update. This group feels that the risk of MS changing their machine in unacceptable ways or even bricking it is greater than the risk of a hacker breaking in because some security patch was not installed. I suspect that most people who even think about this topic will opt for this. However since most people think of their computer like a potato peeler, they will not even think about this and things will just happen without them even knowing. They will be Group A and won't even know it.
I am in Group W and would like to be in Group B. It depends on whether I can find a satisfactory way for my 150 or so client machines to be updated. They are average Joes and Janes.
Note that this may not apply to NON-Windows updates such as Office. I am not sure how you can be in group B or W and do this, but I am working on it.
UPDATE November 19, 2016:
It now appears that B is an impractical strategy for 99% of users. And, here is the reason why: When an error is made in a security-only update, if the error turns out not to have a security affect, it may be corrected in a non-security update. In that case if you were following B strategy, you would be left with an un-corrected defective update installed on your computer. If you were extremely diligent and knew about it, you may be able to get the correction in specific cases. This would entail an extreme amount of diligence that few would be willing or able to provide.
The new rollup style of updates that Microsoft is now providing to what we would call Group A, which include all kinds of updates (security and non-security), are cumulative. That means if you miss a month or even more, it will not matter because by installing the latest month's rollup, you would be up to date.
NOTE well, that Security-only updates are NOT cumulative. Which means if you miss a month, you may never get the missed updates.
So one strategy that you may wish to consider is following Group C, but still updating .net and Microsoft Office through Windows Update, but installing no Windows updates at all. It would be advisable in this case that you stop using Internet Explorer because you would not be getting those updates, but instead use an alternative browser.
Then, after following this strategy for some time, if things take a turn for the worse, and you decide you made the wrong choice (Group C with .net an Office updates), you can easily shift to A by simply using the latest offered Rollup offered in Windows Update.
So, as things have evolved, it looks like the vast majority have really only two choices: A as described above or C (modified as described above). The good news is that if you follow the modified C strategy, you have a way back to the Microsoft way, that is easy to implement.