I recently updated my D-link wifi dongle driver. However, I had to do this through the command line because Microsoft revoked the D-link certificates after a leak. The executable would simply not start, with an red UAC prompt blocking the executable. However, the executable ran just fine when I started it from an elevated command prompt.
This got me thinking: a hostile agent could use a revoked cert from a trusted source to disguise malware as a driver update and upload it to the source's website secretly. The user would download the driver, try to run it, fail, google why it fails and find the alternative method and an explanation about how Microsoft revoked the certificate. In turn, he would conclude that, since he downloaded the driver from a trusted source, it's a false positive and he woul use the alternative method, installing the malware willingly. Hell, I installed the driver without considering that this might be an issue, only afterwards internally justifying it after discussion with the Super User chatroom and a Virustotal scan.
This might sound a bit conspiratorial, but I don't see this as an impossibility. Or am I mistaken in that?