Honestly, my approach on most of this is if it isn't broke don't fix it. If that server can't reach the internet, then the attack surface for security updates is pretty small. And if the server is functioning properly, then I would be very hesitant to update. However, IT doesn't usually see things that way, and if they are forcing your hand, I would plan on a backup and update during a maintenance day.
No internet access. There is only a monthly security scan by IT. No security alerts nowadays.
But our Ignition app have some issues and one lead is to install the CUs.