[Programmatic]

A signed malicious update would be a Big Deal(tm), but the entity would also be able to survive it by claiming it was negligence. I don't believe negligence has not been significantly penalized in the marketplace, aside from perhaps CAs where damage can be limited (prevent new certs from being seen as valid, plenty of other options for sites). There's no such option available for penalizing Microsoft, and their lock-in is significant enough to limit nuclear options for doing so.

"We've revoked the signing key that was hacked by blah blah we have the utmost regard for security and adhered to best practices" and everyone would probably gloss over it for one instance.

[willstrafach]

Their update signing is surely performed using an HSM with strict procedures for getting production builds signed, due to the exceptional sensitivity.

I think you might underestimate the gravity of such a thing happening, it would not be glossed over.

[Programmatic]

What are the alternatives once an event occurs and Google/Microsoft/Redhat/?? claim it was an accident outside of their control (possibly due to negligence)? Yes, outside experts will be investigating to the best of their ability and there will be a statement about what measures have been put in place to mitigate the issue in the future. But what else would happen?