In part because the people doing the updates are very likely to be people who would have some greater knowledge of social engineering attacks such as email. Sure, some would get through, but very few. And this can be easily prevented by reducing the chain of commend of the item (USB?) or even, depending on how the data gets d/l, possibly using a new USB. Because people with expertise understand the risks. People who don't have expertise, don't understand the risks (or benefits).