Isn't this true, to some degree, with all software distribution channels? Weren't CCleaner and FileZilla hacked to distribute malware alongside the main payload?
Unvalidated auto-update really is an anti-pattern. Giving arbitrary third parties the power to install and run software on your system in perpetuity is a massive attack vector. Most software doesn't represent a large active and ongoing attack surface that auto-updates would be a net positive.