Technically noone needs to use the MS Windows update service, Window 7 can be updated with offline MS updates. It also can install from USB media and supports slip streaming updates natively. I don't see the logic in installing updates and root certs from file sharing services or other 3rd parties.
It's unclear what issues you are solving and why you needed to do any of the above or outsource your trust to 3rd parties when you grant a certain level of trust running the OS in the first place.
Again I'll give the divorce the wife and date the hooker analogy, seems like a risky trade off.
It seems like you don't have the experience in this subject. Try updating an old image because you can no longer get any updated images from m$. Try it and see for yourself.
That cert is safe, look at censys, I've also added cryptographic hash for verification. Why MS will not sign it anymore is because the OS is EOL. Maybe just mabe server 2008 kernel patches work on win7 and cert, idk have to extract the updates and look but 2008 is also EOL now and companies have migrated. I can ask my buddy he works at big telecom company he does migrations all day long.
Regarding the updates. This is just so you don't have to risk and bootloop your OS while using the built-in updater that installs all the crap updates. What happens a lot in the older version while installing 400+ updates.
Just a shortcut, and like again
https://gitlab.com/wsusoffline/wsusoffline what risk, you can compile and look in the source code yourself also it works as follow, you fork all update packages from MS services and use a offline service to install them instead of using the automatic update service what somewhat sucks and messed stuff up, slipstreaming takes a lot of time (but you're right sure possible).. 3rd party crap that isn't open, should rather make a bell ring. I remember the old days of the outsource firm that worked in our company when we migrated from unix to win. They had a hard ball trying to do the same all according to the book slipstreaming the updates, testing, fixing bugs, disabling shit like badusb by disabling usb pens in policy. Even in terminal services, they defaces instances by rundll32 (this was a decade ago or longer by now).. So this is just my two cents, I've made too many WIM images. This worked for me the best. I am just sharing my knowledge if we talk about security just toss all your old crap in the bin right away because the USER is the fault, not the os, but if the os is wacked this is a problem in 3 2 1 right now... Unless you say I'll welcome all unwanted guys in my system. How hard is it? Not hard at all. Just play with msf framework.. So tinkering and modding stuff out and disabling service, isn't a bad thing if you know what you are doing and if you want to extend it's lifespan a bit beyond the support. It only makes the system safer, from a security perspective/pov. The golden rule, decrease the attack vector make it really small. Same on your unix boxes.
Some fun facts to add here. I've worked on IPCS a lot (in food,car,medical industry,machine builders), and most customers relay on system stability a lot, they even deploy old OS as we speak because the fact is it's much more resilient and reliable. They indeed are completely offline or in a different vlan communicated by I/O cards or custom protocols.. Why is this? msvbvm60 is less buggy on old kernel and companies who can't afford to have big off time because of high customer demands. Just a few examples I can give. Like yeah why still use old crap, why not migrate 50k lines of code. Just replace all systems! Good luck with that, hah. Some customers are not happy to see Candy crush on their IPCS screen, random crashes, dead ssds, and no system dumps yeah Ikr there are industrial editions but guess what those licenses go for a pop. Also many companies with expensive ASIC capture cards or MLS they advised to use old OS, kinda funny but that's how it works testing the drivers and hardware reliability on modern version is expensive, and also often really buggy too because of different reasons. This is my experience, other may differ. "Opinions are like assholes, everybody's got one and everyone thinks everyone else's stinks.".