The way I see it, if you are using a contract and you don't know that there is a sole owner that has the ability to upgrade the underlying contract to something else, which could be nefarious, then that is in the same wheel house as using a contract with a bug in it anyways.
It should be standard practice to have some governance model around the upgradeability (IE Multisig, Liquid Democracy, Aragon, etc...). Any contract that doesn't use some governance should be considered insecure and not used for financial transactions on the chain.
It should be standard practice to have some governance model around the upgradeability (IE Multisig, Liquid Democracy, Aragon, etc...). Any contract that doesn't use some governance should be considered insecure and not used for financial transactions on the chain.