To be fair, if you have a vulnerability in a .so used by e.g. Firefox, you'll also have to restart Firefox after updating to have it pick up the updated library. But you're right I would prefer the Linux update model, where I run a command once a week when I like to pick up the latest versions of software.