What, the auto-updating part? Obviously the client is verifying signatures (or using TLS with a client certificate, whatever), not just accepting whatever random file comes down the pipe.
Even then, how many affected machines there are? Tens of thousands, hundreds of thousands? Compromise these servers and even possible signing server and you have largest bot net or general compromise in history...
It is not unreasonable to think that this sort of software could get compromised.
A few more years and maybe they will add this newfangled super-innovative thing, invented by those esoteric academics at U of Haskell ... this new thing -- umm, what was it called -- try-catch perhaps.
I mean, this is every antivirus software. "Let's run some antivirus vendor's code on your system that opens literally every file on your system, regardless of how it got there."
Yeah, that's a great idea and not at all a huge attack vector.
