I'd heard people ask for this for Windows specifically, not sure where it is though, worth submitting an RFE. (something like never install this patch on this server, ever)
It's more of a process issue because there are alot of technical ways around any blocks. If you have your process and permissions setup so there are patch managers, and only they can approve patches and there's a change process to deploy anything to your servers, that should catch it.
Otherwise it's possible to cram a patch into some other package, blpackage, file deploy job, etc that we might not catch (once you start execution of the binary we're not sitting between it and the OS to stop it) - so even if we block it in the 'patch analysis / deploy patches' area, it would still be possible.
Understanding this is a very old thread, was there any way to block a single patch from being deployed?? I understand that there as many ways to get around any method of blocking installations or access. But most of those methods involve the end user putting fourth an amount of effort to defeat our blockage. However it is my hope that we would be able to identify a patch as one that we never want installed on xxx device, and then create a blacklist of targets that would not install patch xxxx via our automated systems.
In 8.5 plus for windows patches there is a per-server exclude list.