[b112]

The more important question is, can the SIM itself be remotely updated.

If so, any entity with a court order, can install anything it wants on your phone.

Alternatively, any entity it wants can use the sim itself to track beyond the norm...

[lxgr]

Not really updated, but new applications can be remotely installed and then interact with the baseband and (to a limited extent) the smartphone OS.

It‘s not "any entity", though – the provider’s keys are needed to do this, and they can already do much of that tracking using other, network-side means.

If the signing keys are compromised, though, bad things can happen: https://www.srlabs.de/bites/rooting-sim-cards

[boppo1]

Couldn't installations be observed though?

[lxgr]

They could (using a setup like the one in the article), but the payload is usually encrypted in addition to being authenticated, and such OTA updates are done for legitimate reasons all the time.