You need to automatically update from a trusted source. That source better audit and update constantly. Which is hard.

Ignoring the real benefits of security updates to prevent the unlikely event of supply chain attacks sounds like a weird tradeoff.