For patches/updates you can if you whitelist directories instead applications names/hashes...with system lockdown you can whitelist both ways if you choose.
For example:
C:\Program Files\* would allow any application to run in the Program Files directory
C:\Program Files\*\* would allow any application to run in the Program Files directory and sub directories
Any time the hash changes, yes you would need to update the list.
You could whitelist just by name as well although this is less secure. Using the hash value is the safest but requires more time and resources.