Sure under the assumption of a crapplication and duhveloper the implication is that bad things
happen. But i don't agree the assumption is always true ;).
It a question of trust, why force the user to only trust the distro? Sure other models have the
problem you state - but why can't we build a system where it doesn't happen? just because
applications bundle stuff, they can still hook in to the same updater the admin/user runs.
A distro letting go of control does not mean that the that sysadmin has less control/more work..
We can do both, it's just harder and new territory.