2) What about those savvy net admins who don’t want buggy updates blindly pushed on their machines without them having the chance to test the impact of these updates first?

3) There is absolutely no need to implement this as self-replicating code. What can be done is build a P2P network for distribution of data (the patches). There is no need for a self-replicating program to infect other computers – the P2P software can come built-in Windows. Even now Microsoft is taking the wrong approach by distributing their patches as executables (with random names, at that, and installed from random paths) – which is playing havoc with my firewall/whitelisting software. (OK, part of the annoyance is the fault of the whitelisting software which can’t be instructed to silently allow all executables that are digitally signed by a particular producer, but still…)

4) The whole point of patching is to fix all vulnerable systems. However, a P2P-like virus has absolutely no guarantee that it will reach all those computer that centralized distribution normally reaches. This can go wrong in two ways. First, vulnerable systems might not get patched, because the virus hasn’t reached them. Second, the virus can keep probing and clogging the network, despite that all systems that need patching have been patched.

Regards,
Vesselin