Users never upgrading their software certainly also leads to security problems though, it's not a solution, and it is reasonable to try to set things up so this doesn't happen.
Wouldn't an easy solution be to turn auto updates on by default, and warn users that turn it off that they are opening themselves up to potential security issues, and to do so wisely?
The issue comes when an auto update regresses something that the user relied upon. As long as the automatic update has a 'downgrade' option that's tenable but most of the solutions out there make downgrading difficult.
I prefer automatic updates that are presented to the user for action, sadly feature update/release notes are often hidden or content-free (cf. Google's apps' updates on the Play Store) and downgrading path varies heavily with OS (easy on Linux, impossible on iOS).
Sure, that'd be one solution. I wonder how many users would end up with auto-updates off, and how many of them would actually understand the risk.
Many users are going to change configuration because some tutorial on the internet somewhere tells them to do it, without totally understanding what they are doing, and are unlikely to revisit this configuration again ever. (Heck, I have done that with some configurations I don't totally understand, and don't even remember what I did and will never revisit to change back).
But it might be a fine way to do it.
But in analysis there is a shift from "can we blame someone else [users who ignored our advice] if the ecosystem ends up very insecure", to "how do we actually keep the ecosystem secure, not just have someone to blame when it isn't?" Doing the latter while also providing for user flexibility and autonomy can be a challenge for sure.
