I suppose it does give Apple more control. If they decide they don't want a specific update to work any longer, they can let it expire and then folks would need to use something else (like a newer/safer update that covers the same patch).
For EFI (per the screenshot) I wonder if they are looking to protect against the risk of an update that introduces an EFI vulnerability. Unless Apple is checking a certificate revocation list (or similar) then an attacker could apply that vulnerable update. Letting it expire sets a limit for how long it can be exploited. Just a guess.
