I've had problems on some servers where unattended-upgrades would install new kernel versions without removing the old ones, and ending up filling my /boot partition.

Ditto, for this reason I leave it off. Also, I want to be able to verify patches in staging. Kill me if you want, but we only patch once a month for this reason. For critical things like heartbleed, meltdown, spectre we fast track them obviously. I find it helpful to subscribe to all security lists of core services to know if something really nasty is out there.

You can install Canonical livepatching, I think it deals with actually applying new kernels and removing old ones. https://www.ubuntu.com/livepatch

sudo apt install byobu

sudo purge-old-kernels