> I would trust wordpress to keep their signing keys safe.
What signing keys? Wordpress's automatic updates aren't signed, so your trust is horrendously misplaced.
Someone already did the work for them to implement it[0], and rather than commit it, a Wordpress developer wrote a blogpost saying signing isn't really that important[1].