With a simple addition you can dissalow anyone but you to reach update.php on your site. Off course Drupals update.php is secured and requires you to edit the file in order to update. But at that moment (no matter how short time that may be) anyone can start upgrading your site. Especially when upgrading multisites this can be dangerous: it may take two days to finish all the upgrades: two days that anyone can break any of your databases.
Just add this simple block of accessrules to the .htaccess in your Drupal root.
<FilesMatch "update.php.?"> Order deny,allow Deny from all Allow from 18.104.22.1689 </FilesMatch>
Replace 22.214.171.1249 with your own IP address.
If you don't have a static IP, you may want to make this even fancier by adding a simple htpasswd authentication for update.php. But that is left for you as homework :).