This post contains affiliate links.
Some hosting providers offer auto updates of WordPress and plugins under certain conditions but usually they lag too long, for instance I got a notice from Bluehost and HostMonster that they were going to update the Disqus and AIO SO Pack WordPress plugins due to security vulnerabilities yet this announcement is weeks late (better late than never) and I had already been running the newest versions since the day they were released. WordPress itself since it hosts plugins in the repository can do a little more to alert users about WordPress plugins, for instance, you know at least 1 plugin needs to be updated when you log into your dashboard and you see.
But I know way too many WordPress users and clients who never bother to notice and even check to update these plugins, I have logged into some clients where they have outdated versions years old as they write posts with Writer but never actually log into dashboard, or static sites that may not add new content and just leave it alone for long periods of time.
An auto update feature should exist with logging, this should be something offered by the hosting provider or WordPress in my opinion. A flag that you can say "auto update plugins when updates are available" and choose a time slot. There is a slim chance that plugin updates can cause issues or problems with the theme or site itself, but these are less likely than a security vulnerability which could have someone take over your site or turn it into a tool to attack other sites without you even noticing that something is amiss.
Security Patching and updates must be common place, assume you will patch constantly and always check your WordPress daily or as frequently as possible for patches and patch to the latest version of plugin as well as WordPress itself. Also it is important to make sure you are using some sort of WordPress security protection whether it is a plugin or Incapsula which I prefer, this will help block and prevent attacks, malicious bots and attempts from compromising your WordPress site.