It looks like it wasn’t a software update, it was a AV definitions update, so internal to the CA application.

True, though tbf it's still part of the running system.

I read that many of those affected are global orgs. When I worked at an oil major, everything was tested to oblivion before going into production in the DCs, the reason being to avoid precisely this kind of situation where at all possible. There were clusters set aside for operational acceptance testing to ensure everything, from business application right down to kernel, ran successfully. The idea of leaving auto-update on in any production system was unthinkable. Yet here we are.

Admin: We should turn off the AV auto update in prod and test it in staging first.

Manager/CISO: That would increase our exposure time on zero day vulnerabilities. Overruled.