1. The software pre-installed on your phone is pre-installed by Nokia anyway, so if Nokia were able to MitM to install stuff on your phone is no enhancement of their current privilege
That's the part I originally worried about. If it's OEM PC I would wipe it clean and reinstall everything anyway so it would be non-issue for me, but there's no way provided to install a clean copy of WinRT. Because of this exact reason, I decided to give out extra bucks to get my phone from vendors instead of my current phone service carrier to get rid of crap-wares that could be found installed on the phone.
2. Windows Updates (including core phone OS updates) are all digitally signed back to Microsoft. Even if someone MitMs SSL traffic between you and Microsoft and swaps out the update for a malicious one it will fail the digital signature check and be rejected by the handset.
Oh, I forgot about that piece of detail in marketplace release process. I guess I can say we are safe now?