It really doesn't beg those questions - we have 25+ years of data backing it up. People across the board are bad about running updates. I'm guessing you missed the mid-late 90s when things like buffer overflows started to be exploited and firewalls became necessities because even the folks whose job it was to run updates of vulnerable systems with public IPs on the Internet... weren't. Then came the early 2000s and all the worms running amok because people still weren't running their updates. Then the collective web development industry screamed in pain because things like Windows XP and IE6 just would not die.
The collective Internet has been through this before and (mostly) learned its lesson. People don't run updates when it's not shoved down their throat. And it's not a small segment of people. And it hasn't changed. Look at how many hacks still happen because of servers and apps that aren't patched for known vulnerabilities. Or the prevalence of cryptojacking which is still largely based on known vulnerabilities that already have patches available - indicating it's successful enough that people keep doing it.
Most users don't question what happens under the hood of their devices because they don't care. They have other things to care about that actually mean something to them besides the nuances of the day to day maintenance of their devices. There does not exist an effective way of making people care about things like this, let alone educating the masses on how to appropriately choose which commit hash of their favorite browser extension they should really be on. How many security newsletters do you really expect the average person to be subscribed to in order to make informed decisions about these things?
Hell my "Update" notification on Chrome is red this morning and I'm at least in the top 10% of security-conscious folks in the world (it's really not a high bar).
I'm not saying automatic updates are without their problems - I'm in a thread on HN about that exact thing. But trying to claim it's somehow about sociodemographic issues and the answer is solving that and going back to selectively running updates is just ignoring the lessons of the past.
The collective Internet has been through this before and (mostly) learned its lesson. People don't run updates when it's not shoved down their throat. And it's not a small segment of people. And it hasn't changed. Look at how many hacks still happen because of servers and apps that aren't patched for known vulnerabilities. Or the prevalence of cryptojacking which is still largely based on known vulnerabilities that already have patches available - indicating it's successful enough that people keep doing it.
Most users don't question what happens under the hood of their devices because they don't care. They have other things to care about that actually mean something to them besides the nuances of the day to day maintenance of their devices. There does not exist an effective way of making people care about things like this, let alone educating the masses on how to appropriately choose which commit hash of their favorite browser extension they should really be on. How many security newsletters do you really expect the average person to be subscribed to in order to make informed decisions about these things?
Hell my "Update" notification on Chrome is red this morning and I'm at least in the top 10% of security-conscious folks in the world (it's really not a high bar).
I'm not saying automatic updates are without their problems - I'm in a thread on HN about that exact thing. But trying to claim it's somehow about sociodemographic issues and the answer is solving that and going back to selectively running updates is just ignoring the lessons of the past.