On Windows Vista, 7 and 8, things installed into the Program Files directory can't be altered without UAC kicking in and requiring admin rights. That's why apps require admin rights to update. This prevents viruses and other things from altering installed apps unless it's using an unpatched security issue. To allow updates to be done without needing admin rights, Firefox installs an updater service that only it has access to and that can only update its own files. This allows updates without UAC/admin and while still preserving the Windows app security model.
Google Chrome gets installed into the APPDATA directory. In that location, any process running on the system under the current user can alter Chrome's files, since it isn't within Program Files and isn't subject to UAC/admin. This makes a standard Chrome install inherently less secure than Firefox, Opera, etc installed according to Windows' guidelines within Program Files. Google makes available another Chrome installer that installs into Program Files, but it isn't promoted to users (so they're unaware of the security differences) and it can't be updated without UAC/admin rights.
I’ve seen dozens if not hundreds of infected machines. By far the most common infection vector comes from unpatched browsers or their plugins.
It looks like my browser was not updating because of a 1.5 year old bug #711475 which is still marked at “New”. If it hadn't been for my interest in asm.js, I'd still be sitting at version 17 or 18, despite auto-updates and background service both being checked.
Not auto-updating the browser is a much bigger security risk than your hypothetical issue for Chrome.
I'm not familiar with auto-update, but reading at Bugzilla, it seems that auto-update has been working for a few months at least. The bug to which you linked seems to be about letting users update Firefox without having to wait for the auto-update, which is something else entirely.
Or did I misunderstand what feature you are referring to?
What difference does that make if malware can just install a separate infested version of the browser side-by-side, set it as the default browser, and adjust all desktop/start menu shortcuts to point to this new browser?
Google Chrome gets installed into the APPDATA directory. In that location, any process running on the system under the current user can alter Chrome's files, since it isn't within Program Files and isn't subject to UAC/admin. This makes a standard Chrome install inherently less secure than Firefox, Opera, etc installed according to Windows' guidelines within Program Files. Google makes available another Chrome installer that installs into Program Files, but it isn't promoted to users (so they're unaware of the security differences) and it can't be updated without UAC/admin rights.