Standard users would have no idea they can do that or even bother. Extensions are risky additions to the browser because it's 3rd party code that can read your web pages and local storage values.
Vulnerable extensions are exploited when you access websites that can abuse the holes in the extension (XSS for example). You have to visit the site that the extension targets that has the attack payload for the extension.
I think that risking this by updating manually is more acceptable than getting the mallicious code directly auto-installed as soon as it's released by the attacker no matter what you do.