I reported on this bug perhaps a year ago: no number of software update cycles updates security settings leaving Macs exposed and vulnerable.
The proof is running 'software update' at the command line, which shows that a bunch of security stuff had not been downloaded!
While I had not hadturned on I did/do have “ ” turned on. I have enabled because apparently no check is made unless you also automatically install. Dsign insanity.
diglloyd-MacPro:JavaVirtualMachines lloyd$ softwareupdate -ia --include-config-data Software Update Tool Finding available software Downloading Gatekeeper Compatibility Data Downloading MRTConfigData Downloading XProtectPlistConfigData Downloaded XProtectPlistConfigData Downloaded MRTConfigData Downloaded Gatekeeper Compatibility Data Installing Gatekeeper Compatibility Data, MRTConfigData, XProtectPlistConfigData Done with Gatekeeper Compatibility Data Done with MRTConfigData Done with XProtectPlistConfigData Done.
Some GUI tools are available for this stuff at https://eclecticlight.co/lockrattler-systhist/. Call me confused though on what status like “1.45 should be 1.45” means... at the least it is confusing.