Comment Key detail: Security experts have IT skills (Score 4, Insightful) 112
People don't shun (non-OS) updates because they "might" install malware - They shun them because they do install unwanted tag-alongs (if not outright malware). Flash tries to install its partner-of-the-week every time you update it. Chrome just added push notifications. Java... Let's not even go there. And let's not overlook the fact that most users can't tell a legit update prompt from a drive-by installer.
Security experts have a bias here because they:
1) can usually tell the legit updates from the bogus ones (and know enough to get the bloat-free version of the update); and
2) can themselves remove or repair the occasional spyware that slips through, without needing to pay BestBuy $150 for five minutes' work on a machine only worth $300 in the first place.