It would definitely be a bad idea to run Composer update via cron because unless you know for sure that future versions of packages won't break any functionality you built on top of them, your website could stop working (or worse start working in unexpected ways) without your knowledge.
Maintain a staging environment (even in a temporary virtual machine if necessary) and run your updates in that environment first, then check it, and then deploy to production once you've confirmed everything is ok.
This requires some combo of having a support contract with a budget large enough for manual QA or having built automated tests with the initial work. Vast majority of projects at build-and-forget CMS agencies simply won't. (The reason Drupal and PHP thrive in these environments is because clients can't be upsold out of their cheap LAMP shared hosting.)
Maintain a staging environment (even in a temporary virtual machine if necessary) and run your updates in that environment first, then check it, and then deploy to production once you've confirmed everything is ok.