Concerning the automated updates, I also think about turning them back on in production.
However, I would still use composer and run composer update on dev/staging and test there, too. This allows me to roll back to known well working versions of core + plugin versions/sources even if the site suddenly breaks on production (the downside of automated updates).
2 Likes