Well, I'm going to, not so much "eat my hat" but at least have a little nibble at its edges. I just came across a situation in which in the space of a few days I tried installing and using two new programs and Win7 SP1 told me that the drivers the programs were trying to install weren't digitally signed -- so Win7 wasn't going to let the programs install them. I went off and did some research and found out that the drivers the programs were trying to install were signed but using SHA-256 signatures. And, it seems, Win7 x86/x64 at SP1 level, and with no other updates installed, can't read the signatures.
Cutting a long story short the solution was install the following updates (and in the following order):
KB3035131 (download can be accessed via here) https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-025 KB3033929 (download can be accessed via here): https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/3033929
So, Taos, or anyone else that is reading/following this thread and trying not to update their Win7 SP1 system unless really necessary, it would seem that these two updates are moving into the necessary stage as more and more software developers will move towards digital signing using SHA-256. So, going by my experience, I'd recommend installing those two.
Now I'm thinking that it would be a useful addition to this "Windows 7" section of the forum if there was a kind of 'sticky' thread where people using Win7 SP1 that are trying to avoid updating it, if possible, could post information on updates that, over time, they've found are necessary but that avoid Microsoft spyware and other suspect stuff. Of course, don't just say, "Install KBxxxxxxx," say why it's pretty well essential to do so too.
Hope this helps.
Important Edit: erpdude8 has posted a correction to this post (see erpdude8's post below). Do not install KB3035131 -- it is obsolete. Instead install KB3071756 -- again see erpdude8's comments below with a link to the update.