I was reading this blog http://insights.ubuntu.com/2016/10/31/dirty-cow-was-livepatched-in-ubuntu-within-hours-of-publication/ that explained how Livepatch users got the dirty cow fix really quickly.
What I would like to know is, does canonical push out security updates, or are they pulled in by the scheduled update task?
Your question IMO is quite broad and security is a complex topic.
Ubuntu security notices are here - https://www.ubuntu.com/usn/
To answer your question, no ubuntu does not "push" anything on you, you have to update your system. Updates include bug fixes and security patches.
You can automate security only updates if you so desire - How can I install just security updates from the command line?
Ubuntu uses apparmor to help guard against zero day exploits. See https://wiki.ubuntu.com/AppArmor and https://help.ubuntu.com/community/AppArmor although I am not sure if apparmor would work in this situation I suspect not.
Other security models exist although I do not believe any was effective against dirty cow.
