2) Updates can never be automatic for a decentralized system as such. Even adding something like a 'update available' notification system can open up more attack vectors and is (as always) prone to abuse.
I agree with the first part, but as far as 'update available' notifications, is it any worse than relying on GPG verification of binaries in the first place? Update notifications could also automate the GPG verification which few people aside from very serious users probably do. Of course that means relying on the key baked into the software, but it is always possible to compromise something somewhere. Having to read the news to find out there is a critical vulnerability in the software you are using does not seem to be ideal, imo.