GOG could just as easily be compromised and have their installers and patches infected.
But that code would have to be downloaded and run manually, which means that any compromise would become obvious as soon as the first person noticed something amiss. With Steam's automatic updates, everyone could be hit near simultaneously with a new exploit and most would be unaware of anything unusual, due to all the other update activity.
GOG's Galaxy could well pose similar security risks to Steam's client, but their existing system is less risky than standard downloads from many mainstream websites.
As for UAC, it's designed more to annoy programmers and users into storing data outside the Program Files folder, which not only breaks older games but also hampers modding tools (this recommendation is repeated for
modding Baldur's Gate with WeiDU for example). So GOG are perfectly correct to recommend against it - there are far better security tools out there.
