But this applies to any software that has auto-updates. Can we be sure that Microsoft/Google/Apple don't sign backdoor updates for the NSA for specific targets? As far as I know these national security orders are non-public and we don't even know if it's happening.
But Russia used Ukraine in the past as "playground" for cyber attacks: Some mandated tax software auto-update was hackend and delivered a ransomware trojan without any chance to pay i.e. pure data destruction.
No, it doesn't. Because not all software companies can be a) under influence of a foreign government potentially hostile towards yours and b) software has varying degrees of replacement difficulty.
Example - building an entire smart city network on top of Huawei network gear. It would be very difficult to rip it out and replace on a whim if China suddenly decided to side with Russia in a war against the West, which is literally a possibility floating in the air right now. End state - you have a hostile actor who has access & control of your critical infrastructure. ¯\_(ツ)_/¯
But Russia used Ukraine in the past as "playground" for cyber attacks: Some mandated tax software auto-update was hackend and delivered a ransomware trojan without any chance to pay i.e. pure data destruction.