Comment by Nanzikambe

Whilst I agree with your point, I think an important question to ask is "harder compared to what exactly?"

Cracking SSL? Weaking crypto standards? Tapping undersea fiber? MITM attacks?

Given all those are used, I find it hard to believe the update vector isn't exploited. Sure you'd need to compromise the signing key first, but that's a single target allowing you the ability to subvert many more without the need for any breaking & entering or social engineering alerting intending targets/victims.

I'll take my tinfoil hat off now.