To add some additional perspective: many of us know how to add some basic level of security to our personal networks. Certainly not NSA-proof, but enough to about being owned by your average script-kiddie or wide-spectrum hacker.
So in reality we do have more concern about Microsoft's update channel, which has a trusted, straight-shot channel directly into the core of our system than we do random Joe hacker who had to bypass our NAT, find a zero-day, etc.
From a secure point of view, Windows update operates within the secure zone with root privileges. Of course that's more concerning if you don't trust it that an external hacker.
So in reality we do have more concern about Microsoft's update channel, which has a trusted, straight-shot channel directly into the core of our system than we do random Joe hacker who had to bypass our NAT, find a zero-day, etc.
From a secure point of view, Windows update operates within the secure zone with root privileges. Of course that's more concerning if you don't trust it that an external hacker.