Sure, normally you need about 2x to install anything (both apps are kept until the new version is done and validated). But that's less than the 3x, if you also kept the download there.
Anyway. Yeah, silent installs make this dangerous, no disagreement there at all (tho they're always more dangerous. I'd prefer to never have them). But there's also no reason that Android can't provide a protected external store, except that they've been self-destructively hostile to external storage in any form. It won't work if you remove the SDCard and manipulate it elsewhere, but that's not the attack vector here - it's entirely possible to protect from things on-device, just like they do for internal storage. They even partially achieve it now, with "adopted" internal storage, so it's absolutely possible.
Anyway. Yeah, silent installs make this dangerous, no disagreement there at all (tho they're always more dangerous. I'd prefer to never have them). But there's also no reason that Android can't provide a protected external store, except that they've been self-destructively hostile to external storage in any form. It won't work if you remove the SDCard and manipulate it elsewhere, but that's not the attack vector here - it's entirely possible to protect from things on-device, just like they do for internal storage. They even partially achieve it now, with "adopted" internal storage, so it's absolutely possible.