Thanks for replying Michael. I've seen that post before and it's impressive, but I prefer less automation until my trust with the product builds.
Inevitably, if I compare what Symantec remediation center says I need to what win updates says, it doesn't match. A few times Remediation Center says my machines are vulnerable for patches that Win Update doesn't say I need (seemingly happening more lately than a year ago when I don't think this was happening to me at all). In those cases, I side with Microsoft & don't install the patch.
Also, each month there are patches that MS says I need that Symantec's PMImport doesn't include until I put a ticket in (or post an idea sometimes). Or worse a patch is available but fails to install properly because of wrong command line in the PMImport, or the patch didn't download the latest version2, etc.
I'm lucky that I can devote the time to really troubleshooting patches as they become available, I don't even close to trust PM enough that after X days it moves policies to production for me. I have tickets in with Patch team for patches not installing/reporting properly for months unfortunately.
here's one of my prior threads as an example
https://www-secure.symantec.com/connect/forums/cms-7x-patch-mgmt-support-frustrations-it-just-me