- Google pioneered with the Google Update service
- Adobe Flash installs a maintenance service for automatic updating (the default choice)
- Firefox installs a maintenance service since V12
- and more...
- Services are often started at boot time and run all the time, even when you don't need them (99% of the time)
- Each miscellaneous service can have security vulnerabilities of its own
- All services are run by svchost.exe which in just about all firewall setups is given full and unrestricted access to the internet (since it's used by Windows Updates, as well). A firewall cannot distinguish which copy of svchost.exe is used for what.
And honestly, for what? just so users don't have to click a UAC dialog that's there for their protection?
My advice: remove these maintenance services. Disable silent installs, no matter how "convenient" it is for users. IMO having 10 potentially vulnerable services running 24/7 is much worse than having 1 piece of software (started when needed) possibly not being up-to-date.