Nobody thinks, "golly, I bet there is a newer version of *blank*. Only tech-savvy users even care what version they are using; Novice users, unsurprisingly, go with the old "if it ain't broke, don't fix it" rule.
That being said the only effective vector for infection will thus be the same as what is currently being done- for example, now it might be "you need a new version of flash/java/quicktime to play this video. but the download is NOT flash/java/quicktime but a malicious program. (although with Vista/7 you'd think having to click through both the Internet security dialog *AND* the the yellow "something funky might be going on" UAC dialog might make one wonder- on the other hand, they might have been preconditioned to do this (the clicking OK to everything behaviour).
Now all that being said- how will adding WMP to this set of claimed required updates make a difference?
