Sharepoint - How I should approach patching our SharePoint servers, to make sure I will not face un-expected problems
While recommended to install security updates as soon as possible, you will need to evaluate the security risk of not installing a particular security patch. This is something we will not be able to help you with.
You do not need to install the Cumulative Update if you do not wish to install it.
Yes, some non-CUs increment the farm build number due to an updated copy of Microsoft.SharePoint.dll. Other security patches may only deploy new JavaScript or ASPX files, etc. which would not increment the farm build number.
You already found out a lot of stuff regarding security updates, CUs and version number increments. There's nothing wrong in your post, but i would like to add some comments especially to your questions:
It is valid to install security-patches for Windows including SharePoint specific security-updates (if there's one available that month). Theoretically this shouldn't break things. But Microsoft is not perfect in providing patches, and sometimes they publish buggy updates. One example just occured some weeks ago. Security-Patch MS16-004 broke a lot of farms at our customers. More information on that example can be found here: http://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=616. So testing is also recommended for security-updates. Or wait with installation until others did that for you :-)
You do not have to install a CU after applying security updates, even if they increment your Farm-Version. If you want to install a CU, you should use one that increments your Farm-Version again. I have seen problems with the version check if you do not so (i.e. if you install a security fix that brings your Farm-Version to January 16 CU level, you should minimally install February CU to be fine).
As described, your way to patch the farm is valid. But because of the possibility of a buggy patch, things might break unexpectedly.
One EXCELLENT source for SharePoint patches is the list from Todd Klindt: http://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=346. Read 'Bugs, Notes and Regressions' to find the errors that hurt a lot of people.
My standard-recommendation is to install only CUs one or two times per year and to exclude SharePoint security-updates in the monthly patchday (just install 'Windows-generic' security updates). SharePoint security-updates can mostly be excluded via WSUS if you exclude the 'Office' category for your SharePoint server. But i can understand if your company-policy forces you to update your servers AND applications shortly after a hotfix is released. A lot of people also apply this policy if they publish their farm to the internet. Then you have to live with that unsureness or take the time for testing.