As regular (European) Cuba-visitor I can testify that Cuba has 3G since many years. Everywhere where I tested it between Havana and Santa Clara it worked, also outside the cities, albeit slow. There was a time me and my Cuban colleagues thought it didn't exist, but then I just tried (in February 2012?) and to our surprise it just worked. For a long time it was only available on foreign SIM cards (and maybe military and elite Cubans), but since last year I often do see middle class Cubans using it with Cuban SIM cards. Last time I checked, in September, it was mail-only for the Cubans.

So the premise of OP's question is wrong: Cuba doesn't have to skip 3G. That infrastructure is largely there already, at least way more than WiFi infrastructure. Their internet uplink is however rather limited for an overnight opening up to all Cubans.

Abuse of the Debian and Redhat packages pre/post install scripts as virus vectors would require a security breach at the Debian/Redhat package maintainer or repository.

Chocolatey packages could spread viruses in many more cases: these packages are most often pointers to installers at websites. The package maintainer hopefully checks the security of the upstream installer at the moment of packaging. But none of the Chocolatey packages I inspected use a mechanism, such as checksums or signatures, to detect upstream changes. Such setup allows many more man in the middle attack scenarios. And finally such infected installer will get executed with administrator privileges.
Note: all Chocolatey packages of my small sample were following this unsafe model, but in theory they can be safer: they could prefer to download compressed archives instead of installers, and they could check the checksum of downloads.

This package manager comes 18 years after Linux package managers, and still it has an inferior security design.

The Chocolatey repository and format basically promote the download and execution of installers. Even the Chocolatey packages of FLOSS software like Firefox, VLC and Filezilla are downloading and executing (with administrator privileges) installers. They are not, like I would expect it for security reasons, unpacking compressed file archives, which are also available for such FLOSS programs.

The popularity of secure package managers are one of the many reasons why viruses have a hard time spreading broadly on Linux. Yes, Linux package managers are of course also running with root privileges, but they are mainly unpacking the package archive, thus avoiding to execute as root any installer from the upstream program. Any virus payload in user programs would only be executed by low-privileged users. As on a typical Linux system almost all executables are non-writable for low-privileged users, a virus executed by such user will be unable to spread into other programs on the system.

Also I didn't find checksums or signatures in the Chocolatey packages. Thus, also inferior protection against download errors and man in the middle attacks...