This is an assertion which begs many questions.
Who are these users? What do you mean by "generally"? What do you mean by "poor"? What do you mean with "managing software"? Which software specifically? Why is "managing software" hard? What are specific case where this might be true? Is this statement falsifiable?
For instance, how does age, social background, education level, language, culture,... factor into the experience of "managing software"? Sure, the problem can't be software itself in it's entirety?
See, statements like these tend to break down once you start digging into the murky nuances and specificities of reality.
Moreover, accepting them at face value tends to reinforce a belief which isn't based on fact: that the users of digital technology can't manage their devices, and therefore shouldn't be confronted with managing their devices.
... which is then translated and implemented in interfaces and systems that simply lack the functionality that gives users fine grained control over what is or isn't installed.
Over a longer term, this promotes a form of "lazy thinking" in which users simply don't question what happens under the hood of their devices. Sure, people are aware of the many issues concerning privacy, personal data, security and so on. But ask them how they could make a meaningful change, and the answers will be limited to what's possible within the limitations of what the device offers.
A great example of this would be people using a post-it to cover the camera in the laptop bezel.
People don't know what happens inside their machine, they don't trust what happens on their machine, and there's no meaningful possibility to look under the hood and come to a proper understanding... so they revert to the next sensible thing they have: taping a post-it over the lens.
The post-it doesn't solve the underlying issue - a lack of understanding which was cultivated - but it does solve a particular symptom: the inability to control what that camera does.
The collective Internet has been through this before and (mostly) learned its lesson. People don't run updates when it's not shoved down their throat. And it's not a small segment of people. And it hasn't changed. Look at how many hacks still happen because of servers and apps that aren't patched for known vulnerabilities. Or the prevalence of cryptojacking which is still largely based on known vulnerabilities that already have patches available - indicating it's successful enough that people keep doing it.
Most users don't question what happens under the hood of their devices because they don't care. They have other things to care about that actually mean something to them besides the nuances of the day to day maintenance of their devices. There does not exist an effective way of making people care about things like this, let alone educating the masses on how to appropriately choose which commit hash of their favorite browser extension they should really be on. How many security newsletters do you really expect the average person to be subscribed to in order to make informed decisions about these things?
Hell my "Update" notification on Chrome is red this morning and I'm at least in the top 10% of security-conscious folks in the world (it's really not a high bar).
I'm not saying automatic updates are without their problems - I'm in a thread on HN about that exact thing. But trying to claim it's somehow about sociodemographic issues and the answer is solving that and going back to selectively running updates is just ignoring the lessons of the past.
Users are "I, and everyone else I know".
Generally is "unless we need a feature".
Poor is "do not install updates to our software".
Managing software is "install updates".
Software is any software we use that provides updates, which is all of it.
Managing software is hard because doing it manually would require checking the website of every piece of software you've ever downloaded at regular intervals, where regular could be as frequently as minutes for security-critical tools.
If I ever downgrade my software and lock it to a specific version, I am now managing it manually, and all of the above applies.
I honestly don't think there are unquestioned assumptions here, because the task of keeping security-critical software up to date manually is nearly impossible for any user.
Demographics don't change the fact that if you don't automatically update software, many users simply won't. That's bad.
If you make something available for people to toggle that improves their experience, people are going to take advantage of that even if they don't really grasp or decide to ignore the consequences. In the case of updates the improved experience is not being nagged or forced to restart an application or the whole OS. And unfortunately the only way to really gatekeep that control to people who know what they're doing is giving it enterprise pricing.
