I don't see why the two are mutually exclusive, apart from the simplistic good versus evil narrative of marketing departments. Sysadmins didn't install the update that caused the problem, rather it was done by remote access. And it sure looks like the people who installed it got something much different than they were expecting. Is that stretching a little? Sure. But as the word 'rat' is a longstanding synonym for a snitch and as this type of software is often installed by organizational mandates against user/administrator wishes, I smell a RAT.
Personally, I wish more insecure-relative-to-a-trusted-third-party software would fail in such spectacular ways. Then maybe people would stop trusting it.
> with ring-0 access and auto-update one could become the other
I'd say that this means they aren't differentiated by capabilities. So we're down to intent. And well, Crowdstroke didn't intend to brick all those computers either.
Personally, I wish more insecure-relative-to-a-trusted-third-party software would fail in such spectacular ways. Then maybe people would stop trusting it.