Microsoft signs its updates. There's no restriction on where you can get them from.

Not that I recall.

Microsoft has leaked keys that weren't used for code signing. I've been on the receiving end of this actually, when someone from the Microsoft Active Protections Program accidentally sent me the program's email private key.

Microsoft has been tricked into signing bad code themselves, just like Apple, Google, and everyone else who does centralized review and signing.

Microsoft has had certificates forged, basically, through MD5 collisions. Trail of Bits did a good write-up of this years ago.

But I can't think of a case of Microsoft losing control of a code signing key. What are you referring to?

As a former member of the Windows Update software engineering team, I can say this is absolutely false. The updates are signed.

I know they are signed. But is that enough?

Attackers today may be willing to spend a few million dollars to access those keys.