Just voted for the “Lazy SysAdmin auto-update” choice. I do believe that this would be the best option, only if there is the ability to turn it off easily, and only if all updates are tested to not break supported configurations prior to being sent downstream. As @planet_jeroen said above
One request for this though, if/when an update does get installed a email should be sent to the administrator with details about the update.
As for the subscriptions I think it looks great!