I will grant you that the auto-updating aspect of Steam, makes for a potential target, but quite frankly there are far easier ways for malware writers to get their code onto someone's computer (IE exploits being the most common). Malware writers, by and large, will choose the simplest method of distribution. Hacking into Valve's servers, modifying game/Steam code and triggering an update - one that would likely be caught and patched pretty quickly - is not a simple method.
First off, modifying game code would require that the people launch the game after the virus uploaded. There's a far better chance that the exploit would be caught and fixed before too many people launched it. If they modified Steam itself, that would require a restart of the Steam client before any changes would take affect.
