Sure, that'd be one solution. I wonder how many users would end up with auto-updates off, and how many of them would actually understand the risk.
Many users are going to change configuration because some tutorial on the internet somewhere tells them to do it, without totally understanding what they are doing, and are unlikely to revisit this configuration again ever. (Heck, I have done that with some configurations I don't totally understand, and don't even remember what I did and will never revisit to change back).
But it might be a fine way to do it.
But in analysis there is a shift from "can we blame someone else [users who ignored our advice] if the ecosystem ends up very insecure", to "how do we actually keep the ecosystem secure, not just have someone to blame when it isn't?" Doing the latter while also providing for user flexibility and autonomy can be a challenge for sure.
Many users are going to change configuration because some tutorial on the internet somewhere tells them to do it, without totally understanding what they are doing, and are unlikely to revisit this configuration again ever. (Heck, I have done that with some configurations I don't totally understand, and don't even remember what I did and will never revisit to change back).
But it might be a fine way to do it.
But in analysis there is a shift from "can we blame someone else [users who ignored our advice] if the ecosystem ends up very insecure", to "how do we actually keep the ecosystem secure, not just have someone to blame when it isn't?" Doing the latter while also providing for user flexibility and autonomy can be a challenge for sure.