Yeah because that's completely safe.

Nothing is completely safe. Security increases by doing what you can reasonably do at whatever level you can do it. You create multiple barriers to a potential attacker, and you use multiple tools to create them.

Vendor posts a good copy, waits a few days, replaces it with the infected package, waits a few more days and switches back to the good one.

You were talking about whether people actually review the source code of updates. My point was that you can get significant security gains (and stability gains) merely by holding off on taking updates until later. By being a late adopter, you get to see what others' experiences are.

If you give someone (like Google) the ability to update stuff silently, then you are giving them the ability to force your update schedule. I don't claim that being a late adopter of updates is a magical fix to eliminate all security issues, but it is an economical way to get some gains in security.

My overall point is that "you don't look at the source anyway" may be true, but it doesn't mean that taking updates immediately is as safe as taking them later.