Ok, just trying to figure out whether you were having an issue with Fixlet relevance (false positive / false negative) or an issue with the workflow. At this point it sounds like a workflow thing.
As far as I’ve seen, Bigfix doesn’t give yhe kind of automation you’re looking for out of the box. It expects an operator to vet which patches to deploy and choose those, unlike Windows Update. For those of us in tightly-managed environments this is a good thing, but is contrary to what a lot if people who like Windows Update’s hands-off approach would expect.
Patch Policies might be helpful to you, I haven’t tried it myself. Server Automation probably not so much, as you still need to choose which fixlets to add to your baselines; Server Automation can dynamically create Actions from those baselines, but you still need to pick the patches.
Custom code using REST can do what you’re looking for, but you’ll want to be careful in how you automate selecting the fixlets to apply. There are a lot of fixlets you should not apply; for example there are conflicting fixlets for Spectre mitigations - a fixlet to turb the mitigations on, and another to turn them off.
Using REST requires a Console Operator credential, so you wouldn’t want all of the endpoints running it, but you could have a script on any single machine run and create baselines and actions targetting any computers or computer groups in the environment.
Have a look at what’s available for REST API at https://developer.bigfix.com - I think you’ll find examples there for creating baselines, sending actions, etc. that should be helpful.