What if the latest bitcoin-qt is packed with a wallet-stealing trojan...
You can verify the checksum for the Bitcoin.org client binary that you download as described here:
There are many eyes on these releases. Even so, if you don't trust the Bitcoin.org binary, you can always build from the github source yourself.
If you don't trust the Bitcoin.org source, you can always use another client (e.g., MultiBit, Electrum, Armory).
Also, it is not usually the case where an update needs to be performed right away -- especially if you aren't mining. If you are concerned, there's no need to be the first to do an upgrade.