A battle of wits and my opponent is unarmed. Oh, well.
There are not 400 copies of the codebase, there is typically one, sometimes 2, rarely 3. That's not how it works. Perhaps your distro has a small collection of favourite patches for large items like the kernel or OpenOffice, perhaps not, but it's all built from and folded into one set of sources.
We do not claim to be invulnerable to phishing scams. We just claim that installing the kinds of malware which plagues MS-Windows is orders of magnitude harder. As in this case. You'd have to have the root password to install the malware, and we generally don't give the users that because unlike MS-Windows we don;t need to run, for example, accounting programs as Administrator.
Anyone with the root password is going to know that their updates arrive on the canonical file server and are automatically picked up and installed by their package manager (apt, URPMI, yum, yast, pkg, whatever) provided that the crypto keys match.
How much else don't you know?