Admittedly I've always been a little bit confused over what the actual issue here is.
Just because a port exists in the template does not mean that it's exposed to the WAN. And, if you're using custom networks (eg BR0) or host, then any and all port mappings are ignored anyways. (ie: install the default cAdvisor template from CA - You'll hit the webUI on port 8081. Delete the port and you can't hit the webUI. Now move the container to br0 and you'll hit the webUI on port 8080 even though the port doesn't exist in the template) Whether or not the port exists in the template (or the docker run command) does not stop the container from opening the port. All it does is tell the docker system what to do when it's attempted to be accessed from outside the container. And in the case of host / br0 the mappings are ignored by design from docker itself. It's why if you install any of the Plex Containers they do not have any port mappings in the template, yet they work as Host / br0, but if you switch the template to bridge they will fail)
Because @ich777 told me that there could be issues (once again I do not understand why), provisions were put into place to prevent the template from being updated if the container updates. Note that simply stopping and restarting a container will NOT ever update the template. Only an update to the container itself (not to the app within) will also have the template updated. This provision is not a work-around, but is a by-design feature. It's just not accessible via the GUI to prevent users from inadvertently changing the entry to something that doesn't work (80% of the maintainers can't figure out the proper URL to put in there, so CA's appfeed fills it in automatically)
As mentioned, there is no real way to determine if a port was deleted and you don't want it added again during an update or if the port isn't existing in the first place and needs to be added.
All in all, the update system solves far far more problems than it creates and if (once again "if") there are issues with ports being deleted and causing an actual issue with the container if it gets re-added, then the provisions exist for the maintainer of the template (or the user) to be able to easily flag the template as "do not update this"