You have to keep these things in mind. Any applications pushed via GPO, SCCM, WSUS, or any other management application will get dropped into the User Personalization Layer. This is one area that I could see being an issue. If you then go back and run updates on the base OS or on an application layer underneath, and update the machine, the user personalization layer changes will still take precedent.
In our environment, I disabled Windows Update via GPO for my Unidesk machines and manually maintain the base OS image. I schedule the update to a couple of test VMs and I build a new VM with the new updated OS layer, just to make sure both work. Then and only then do I schedule the update to all the machines I want, with the option to boot people off of the machine if they are logged on. If I forget that last part, I get to chase my tail for a day or two getting the machines updated that have people who stay on them all the time. 
It's a very small price to pay for updating all of those machines in an evening. The only applications that I know are embedded on my machines after they are completely spun up are my Forefront AV client and the Websense Endpoint Client that we push through GPO. They get updated all the time anyway, so I really can't update my base OS that often.