I do have a test domain where the index is locked with a basic HTTP password. I could try the automatic update package there, but in the past after using that it was a disaster. So I refuse to use automatic updates again. I do of course backup the how enchilada all the time so if something goes wrong it's no problem. I'm pretty well familiar with replacing the site with a backup.
And in case anyone was wondering about the security with using a basic HTTP password. I do know about a request hack to bypass it, but in my testing I wasn't successful. Also, the user name and password are such that Hydra would have a hell of a time brute forcing it, and if I see thousands of requests I'll block their ASN.