How to ensure security updates are installed without daytime interruption in macOS Sierra

I would suggest turning off automatic updates and scheduling a run of softwareupdate yourself. If you’re using shutdown to do the nightly reboot, you could turn that into:

softwareupdate --install --all; shutdown -r now

CNet has an introductory article on “How to apply OS X software updates from the command line”. Below, I’ve quoted sample output from a blog post (though an old one) where softwareupdate is used to install updates that require a restart. You might also be interested in an (old) hint on Mac OS X hints with a more complicated script that installs all available updates, reboots, and repeats the process until there are no more updates left.

iBook-G4:~ root# softwareupdate --install --all
Software Update Tool
Copyright 2002-2007 Apple

Downloading iLife Support       0..20..40..60..80..100
Verifying iLife Support
waiting iLife Support
waiting QuickTime
Downloading Mac OS X Update     0..20..40..60..80..100
Verifying Mac OS X Update
waiting Mac OS X Update
Installing iLife Support        0..20..40..60..80..100
Done iLife Support
Installing QuickTime    0..20..40..60..80..100
Done QuickTime
Installing Mac OS X Update      0..20..40..60..80..100
Done Mac OS X Update
Done.

You have installed one or more updates that requires that you restart your
computer.  Please restart immediately.

As mentioned above, a bash script would be the best way to accomplish this, when combined with a launch daemon to run it at a specific time. I would set updates to download but not install (except security updates which covers xprotect/gatekeeper), opting to do so via a script, which would contain something along the lines of

sudo softwareupdate -ir 
reboot now