[colejohnson66]

That last one (the “citation needed”) is solved by stores that have auto-updaters. When a store isn’t used, it’s up to the app developer to provide a notification of an update being available, and many don’t do that.

Linux’s package manages show that quite well. I can update (almost) all my packages with a simple command. On Windows, if Inkscape has a security vulnerability that an update fixes, I'm not informed of this unless I follow the development or use an RSS feed of sorts.

[takluyver]

Agreed. Of course it's possible in theory for every developer to have their own secure, reliable auto-update mechanism. But it's not easy - the docs of The Update Framework describe some of the challenges.

If every app handles its own updates, that also means that either you've got N background auto-updaters running, or the check has to wait until you run the software - and potentially get exploited by a hole patched in the update it's just downloading.