Without some kind of carefully crafted notification, there will always be users who never ever update. It feels like stagnation is built into this system and it will never be overcome.
It sounds like to me that you're making assumptions which are simply not true, then fixating on particular solutions.
People do upgrade, this is a fact and we've seen it quite clearly in practice. If you want software to nag users when it's really old, it could do that independent of there being any alert system.
So the concern is that if you or any other developer with access to an alert system is compromised,
"with access to" -- instantly you begin by just _presuming_ a centralized hierarchical world with privileged parties that have power over others.
I guess my response would be, doesn't that concern also apply to users simply downloading the software?
No, only _new_ users that downloaded it when it was compromised; not everyone already out there.
You could counter that by saying that users can check the source code, but the reality is apart from some very select people, users aren't reviewing source code,
Most users do not, a few do. If the few that do find problems, they can sound alarms; protecting others (see the prior point).
prevent malicious developers or compromised developers exerting control.
Multisignature is still trusted and centralized.