FWIW, updates going over HTTP isn’t necessarily a problem. Many Linux distros do this too, mostly as a byproduct of the days when HTTPS was expensive. The packages go over http, but they’re all signed by the distro’s key and validated before they get extracted.

The problem here is they didn’t have any way to authenticate the updates before applying them. A good HTTPS infrastructure will mitigate that (an attacker would have to be able to forge an HTTPS certificate), but it’s good to sign the updates with a key that’s better protected than your HTTPS one anyway.