I work on an open-source CMS with a few other developers, and we believe an issue with current CMS's is that even when security issues are patched, the vulnerable script still lives out in the wild. To fix this we plan to incorporate (optional) auto-updates. It would connect to the central server, find the patch, download and install it.
I, however, noticed an issue: If someone gets into the main server, they can release a patch to open up all of the CMS's using our code. My proposed solution was to use GPG signatures to verify patch integrity. The issue is that the GnuPG installation for PHP is more difficult than your average webmaster's skill set. We were looking for either a solution to get around this, or a similar thing to GnuPG for us (three developers minimum) to sign the patches.