In an ideal world, you can apply all the updates to every software package on the PC, with maybe a day of delay to allow for IT to test compatibility with current applications. We all know that ideal doesn't apply to most factory environments.
The best industrial PC security practices I've seen amount to making a standard, known good image, and then doing as much as possible to lock it down and prevent any changes to the system.
Between approaches 2 & 3 below, it makes it hard for viruses/malware to run on the system, and even if they can run, they will have trouble getting anything installed permanently.
1) Don't install anything from scratch on each IPC. Create a standard image, test that it works, and then deploy it on every new IPC you get. Obviously, this only holds true for stations that are identical. You may need multiple images for either multiple PC types or PC uses.
2) If you get an Enterprise/Embedded(/IoT?) version of Windows 10, they come with a feature called the Unified Write Filter. This is a new version (combines a few other things as well) of a feature I've used in Windows 7 called the Enhanced Write Filter. Essentially it intercepts writes to your disks (depending on how you configure it), and writes those to a RAM disk instead. The PC keeps operating as "normal", but no changes are made on the disk. The PC is theoretically in the exact same state every boot.
I've generally seen it where the system partition (C drive) is protected by the write filter, but a D: drive for data is left open. That way you have a place for data logging, etc. Depending on the system, HMI projects may need to be stored on the protected drive to avoid tampering.
3) Antivirus software is good, but it is best in a situation where you don't know what software is supposed to be on the PC, and therefore you have to try to detect known bad things. For Industrial environments there is a better approach, called Whitelisting. Essentially, instead of a traditional blacklist based antivirus searching for bad software, and trying to prevent it from running or delete it, the whitelisting software takes a snapshot/signature of the known good software, and then doesn't allow anything else to run.
I've had a few customers who have had success with McAfee Application Control as a whitelisting solution.