Right now, the automated update doesn't appear to check the authenticity of the zip. It would be straightforward in some networks to alias the piwik.org domain to some malicious machine containing a compromised zip. Some options are to download only via https, or verify a GnuPG detached signature with it.
GnuPG already has a ticket in #1757. It is a low priority feature because the required extensions/libraries aren't part of the core PHP distribution, so very few Piwik users would benefit from this feature.
It's already possible to use https. For example, in config/global.ini.php:
latest_version_url = https://piwik.org/latest.zip
However, there are technical drawbacks described in #1867.
Thanks. I'll take a look.