> this is simply a [malware] disaster waiting to happen
Only if someone manages to break the signing and thus create a replacement file that works as an update with the same signature.
When downloading updates direct from MS today they are downloaded over HTTP, not HTTPS. But the signatures are downloaded on HTTPS and checked against the patches downloaded without a secure channel. This avoids the overhead of encrypting the patches for each client while performing the same content validation a secure channel would given (remember TLS both validates the content came from the correct server and hides the content on the network: the latter is irrelevant in this case as anyone can download the patches already).