I don't think registering a URL to an XML file does the trick.
The Linux distro's typically sign the packages, saying they were presented to the distro by someone they trust.
You need some sort of security in place, otherwise the system is effectively trusting all the web servers in all the URLs, and we know how safe web servers are.
But yes if Microsoft update updated everything, then people would have motivation for running it. Where as if it just updates a few system and Office - things that no one cares about till there PC is spamming - where is the motivation?
But it boils down to the same thing, trusting a single central authority, and since Windows users implicitly trust Microsoft, it might as well be them.