... they already have Windows Update. It cannot be null-routed (respective entries in /etc/hosts are simply ignored), it is virtually always on and it can be trivially used to deliver custom patches to specific boxes. What more can you ask for?
You are right that MSFT has the "update". The bigger problem with Windows 8 computers is that similar things are in practice available to all the "third parties" who have hardware or kernel-driver components. And you have less control than before about them all. It's a broader problem than just Microsoft.
The new "you as the user can't control the kernel stuff, even with the debugger" concept is really about the user (you) giving up the control. The excuse is that you as the user aren't supposed to be able to copy movies. In practice, you have no more control of your own computer whereas the companies have real-time control even of the content by directly controlling your computer. Some routers already did such stuff. It is really worrying -- having the part of the "great firewall of China/whateverothercountry" on your own computer which you paid with your own money.
Who says the original windows binaries don't have backdoors in them? So far as I can see the only difference TPM makes is that it potentially opens vulnerabilities in non-MS operating systems you run. If you're running any version Windows, or in fact any software you don't compile yourself from source(1), you just have to trust on faith it's not back-doored up to the eyeballs from the get-go. This has always been true.