This argument works the same way in reverse. If an exploit is discovered, manual updating spreads the update time, creating a much larger window in which exploits may be deployed, increasing the number of systems affected, and increasing the likelihood of a targeted attach succeeding.
A big difference is that the exploit can't be pushed to every single device in the world that is running the software in question and phoning home for updates.
