A malicious application would focus on deleting everything, so what more is destroyed if UPnP is enabled?

I've seen a few people saying that, but honestly, I don't see why it would be a suicide. I don't really care that an application can change my port forwarding configuration. Why would I?

How about using UPnP for auto-forwarding Bitcoin ports? (8333 TCP)

Also, why can't you use other ports?

That's easy - just make Bitcoin come with a Debian VM.

Did you update to 0.3.10? If not, do so. I think it just means that there are people using older versions of BitCoin and generating wrong blocks, which you are denying.

Also, if someone maintained a package and submitted it to distributions, it would already be auto-updated without the need to build it into the client.

I was thinking of automatic updating being off by default (but checking being on by default). Update user verification is useless for me because I always click yes -  It's rare that the update server is being played with, but even if it were, I would not be able to tell.

How about using TLS for authenticating the update server?

Would it be possible to implement a Bitcoin client entirely in JavaScript using HTML5 technologies such as WebSocket and WebSQL?

Since there can be important security updates and a lot of people don't check the site, the Bitcoin client should have an optional auto-updater (on by default), with "how often?" options ranging from each five minutes to each day and an option to install without asking (only security updates or all updates?)