That would be the express road to long-term unpatched vulnerabilities.
There's basically two ways to have safe web extensions: Carefully control their entire supply chain (which could easily cause big antitrust problems for Google as the vendor of the most popular browser), or minimize the things they have access to.
It is the better road, and the road chosen by most other things that aren't SaaS, including Google's other most popular thing, Android. Keep the default to auto-update, fine, but let me disable that, as the Android app store does. Attacks from previously trusted extensions (and apps) being updated and then doing malicious things (requesting new permissions to do them is not significant friction) are worse and more frequent than old unpatched extensions being vulnerable to something. (That "something" likely being in the realm of XSS or click-jacking from a malicious page, much harder to widely exploit.)
I'm sure it's happened, but I haven't heard of an extension suffering from a significant "unpatched vulnerability" and being exploited in the wild -- I have heard of things like this click-jacking issue in Privacy Badger: https://blog.lizzie.io/clickjacking-privacy-badger.html No wild exploits afaik, just the PoC, and the ultimate worst-case impact was just (reversibly) disabling the extension for the page or a site, which isn't very severe. Perhaps a more advanced extension like Ruffle that uses Rust and WASM has a more severe attack surface than the majority of extensions written in JavaScript, but even if it does, it must be exploited by a malicious page targeting it, vs. the alternative of auto-updating to a malicious version and doing whatever it can get away with immediately.
Extensions getting taken over or just transferred to new owners and updating to do something new and malicious is quite routine and multiple examples come readily to my mind. The first to come to mind is Stylish, several years ago: https://robertheaton.com/2018/07/02/stylish-browser-extensio... (I was not impacted because I didn't update the extension during its vulnerable window, which was months, and apparently over a year for Chrome.)
The safe way to handle these issues is to let users turn off auto-updating, and to have actual policies to mitigate the damages from malicious extensions. Firefox itself will disable extensions that become known to be defective in someway, this can be independent of whether the issue is an unpatched vulnerability, whether there's a patch/update to address it, whether the extension isn't just bugged but doing something malicious, whether it always was malicious from first install or just suddenly became malicious... See https://support.mozilla.org/en-US/kb/add-ons-cause-issues-ar...
There's basically two ways to have safe web extensions: Carefully control their entire supply chain (which could easily cause big antitrust problems for Google as the vendor of the most popular browser), or minimize the things they have access to.