Apparently YOU don't understand how it works...
How is the putative attacker going to get the malicious applications installed on the victim machine, replacing the legitimate apps? To do so requires access to the machine itself at the keyboard AND knowledge of the Administrator Name and Password (ROOT level, no less) so that the hacker can install his malware. If the attacker can do that, he already has all the access he needs to install anything he wants.
If he can't get to the computer, he has to trick the administrator into installing his malicious package...
To get to the point of "The user just goes to update his Mac and unknown to him, etc" the user MUST DOWNLOAD AND INSTALL A MALICIOUS TROJAN. It cannot download and install itself... it has to have permission to be installed... and in the latest version of OX it has to have permission to run for the first time. This relies on psychology to be spread... tricking the user into installing it himself. There is nothing autonomous about this first step.
When installing updates, what can be updated? And what level of access is required?
So my option is to either go unpatched or risk running the patch program? Hmmmmm....sounds like a bad deal to me.