WSUS is all we need. The computers are updated the day the patches are released and you can modify the update behavior using Group Policy i.e. delay reboot, don’t prompt, etc. You can also configure WSUS to send you an email when it updates with new patches so you are always on top of when they will be patched.
WSUS should be adequate for this size of computer population. We have >3000 computers distributed across 18 sites. WSUS was not really the right tool for a distributed environment. It did not have adequate reporting or replication so the updates would be close to the clients. We are moving to Systems Center Configuration Manager.