Note that for certain cold storage applications it's required to not be updating the programs used say in an air gapped computer.
If you've downloaded the update... checked the digital signature (in the case of Electrum)... And transfer it to the air gapped computer, do you think that a user would be running any more risk than copying your transactions back and forth via USB?
Even if you messed up and downloaded a compromised version of the wallet... the fact that the computer itself is air gapped, should prevent any wallet/key leakage. At worst, the malware would only be able to try and slip something out via your USB... or potentially tamper with the transaction in some way (ie. change destination address during signing)
I would have thought that doing you due diligence of double checking your transactions and/or USB for anything "odd" should help prevent that.
lol, I Knew this concept would be controversial.
But here's where I was coming from.
Suppose you have an air gapped computer doing nothing but offline transactions. The intent is for it to sit in the corner for ten years and do that.
Now, how often and why would you mess with the programs on that thing?
Let's say for the ten years there are released 19 application program updates for a single wallet, and 26 operating system updates.
I look at that group of changes as major tampering with a secure air gapped machine. Too much too often for too little or zero return in terms of benefits.