So as I said if I configure Granny's computer to act as the Malicious spoofing server...all Macs on her network that try to download a legit patch will get the trojan/virus.
No, For-q, that is where you are wrong... if that were the case, there would be no need for the "victim software package" to change the System files.
This is just not a case of a spoofed server on the network as the DHCP vulnerability was... it requires a change in ROOT level system files to force the victim machine to connect to the spoofed server instead of the secure Apple server.