Fix reality of security patches

Author: paulgmiller

articles/aks/concepts-vulnerability-management.md

@@ -76,7 +76,7 @@ The following table describes vulnerability severity categories:
 
 AKS patches CVEs that has a *vendor fix* every week. CVEs without a fix are waiting on a *vendor fix* before it can be remediated. The fixed container images are cached in the next corresponding Virtual Hard Disk (VHD) build, which also contains the updated Ubuntu/Azure Linux/Windows patched CVEs. As long as you're running the updated VHD, you shouldn't be running any container image CVEs with a vendor fix that is over 30 days old.  
 
-For the OS-based vulnerabilities in the VHD, AKS uses **Unattended Update** by default, so any security updates should be applied to the existing VHDs daily. If **Unattended Update** is disabled, then it's a recommended best practice that you apply a Node Image update on a regular cadence to ensure the latest OS and Image security updates are applied.
+For the OS-based vulnerabilities in the VHD, AKS also relies on node image vhd updates by default, so any security updates will come with weekly node image releases . Unattended upgrades is disabled unless you switch to unmanaged which is not recommended as its release is global. 
 
 ## Update release timelines