It does?
How is auto-updating on startup using `apt-get update -y` any different from what `docker build` would do as part of a Dockerfile? If malicious people are able to get their malware into the upstream repo's we're all f**ked anyway. Not going to happen.
At the risk of being incendiary, comparing a forum hack which are (sadly) now common place to a repository hack is not a fair comparison at all.
The only scenario in which I agree with your comprising of where they pull the auto-update from is if the code is hosted on some random web-server that isn't git or something. Most updates are likely to be `apt-get update -y` or similar as I've already stated if this mechanism gets compromised then a lot bigger problems than Docker containers exist. Imagine all the servers around the world that would go down. Sheesh.
Long story short, I don't believe auto-updating poses any greater risk. In fact, arguably it increases the lifespan of the container meaning that end users are not reliant upon the maintainer to update software if problems are found. There are dozens of containers on Docker hub which have old, outdated software and it's a huge problem that Docker is trying to address. Noone has found the silver bullet yet, if you have then we're all ears.