That's the part I originally worried about. If it's OEM PC I would wipe it clean and reinstall everything anyway so it would be non-issue for me, but there's no way provided to install a clean copy of WinRT. Because of this exact reason, I decided to give out extra bucks to get my phone from vendors instead of my current phone service carrier to get rid of crap-wares that could be found installed on the phone.
2. Windows Updates (including core phone OS updates) are all digitally signed back to Microsoft. Even if someone MitMs SSL traffic between you and Microsoft and swaps out the update for a malicious one it will fail the digital signature check and be rejected by the handset.
Oh, I forgot about that piece of detail in marketplace release process. I guess I can say we are safe now?