Starting with El Capitan (OS X 10.11), Apple started using System Integrity Protection (SIP) in macOS, so that certain directories would be not writable, even by root. Here’s a quick reference for a couple of commands you can use to see if a directory or file is SIP-protected, as that may change from macOS version to macOS version.
ls -lO (that’s a lowercase L, followed by a capital o, not the number 0), and look for restricted.
ls -lO /Library/Updates/
-rw-r--r--@ 1 root wheel restricted 181 Jul 29 10:22 PPDVersions.plist
-rw-r--r--@ 1 root wheel restricted 1130219 Jul 29 10:22 ProductMetadata.plist
-rw-r--r-- 1 root wheel restricted 260 Jul 29 10:17 index.plist
xattr -l (that’s a lowercase L) and then the name of the directory. Look for com.apple.rootless
xattr -l /Library/Updates/
Special thanks to @revolize and @Magneto on the MacAdmins Slack!