Operating systems and web browsers now auto-update themselves. This lets your OS and browser vendors patch vulnerabilities quickly, but it makes the update vendor a permanently-trusted third party.
In exchange for quick patches, you are now continuously vulnerable to the vendor being compromised, or just making a dumb mistake.
Whoever controls auto-update can deliver a targeted attack on any computer in the update network, at any time.
Even if you’re never explicitly targeted, the whole network is constantly vulnerable to a single mistake by the update vendor.