If, however, we don't engage in circular reasoning and we assume your box isn't currently in the possession of the Russian mafia or (insert preferred APT here), then how can one be reasonably confident that the update one receives through the updater is legitimately the one Apple is distributing?

Because it is signed and the code-signing verification was not broken by this bug.

I agree with the point you're making, but you can also turn this idea around, after which it serves to highlight how insanely inadequate our current tools and infrastructure are from a security standpoint.

Basically, you can only reasonably hope to verify a patch if you're not already owned, so you also have to assume you're not in order to verify. It's as if there was a contagious disease that has a good chance of killing you after a number of years, but the diagnostic tests can only be counted on to work if you don't have the disease in the first place. So then why would anyone ever bother getting tested? Our current situation is that uncomfortable.

Being owned is less like having a virus and more like having schizophrenia. You can't ever expect to self-verify yourself, because if you're suffering from it, everything you're perceiving is being filtered through a compromised and untrustworthy system.

You have to trust some third-party that you believe to not be similarly compromised to do the verification for you.

Which effectively means that most people won't bother, unless a "trusted third party" is built into their machine.

But that has huge potential problems of its own.