But, what about updates?

Ah yes, updates... That ssh loop sure was taking longer to run, and missing more machines each time.
Any push based method is doomed. If you're triggering updates by push, you're doing it wrong :)
Now, it's common to run apt-get or yum from cron and hope updates will mostly work that way.
For those of you who have tried running apt-get/dpkg/rpm/yum on thousands of servers, you may have found that random failures, database corruptions (for rpm) due to reboots/crashes during updates, and other issues make this not very reliable.
Even if the package database doesn't fail, it's often a pain to deal with updates to config files conflicting with packages, or unexpected machine state that breaks the package updates.

Ah yes, updates... That ssh loop sure was taking longer to run, and missing more machines each time.