That's just wrong. Somebody could just attack the server and push an infected "security upgrade" to thousands of computers. The upgrades needs to be confirmed at the user side, once the user knows it is safe to do so.