I will grant you that the auto-updating aspect of Steam, makes for a potential target, but quite frankly there are far easier ways for malware writers to get their code onto someone's computer (IE exploits being the most common).
IE may be the most common attack vector, but usually requires a visit to a malicious website so no exploit is likely to offer simultaneous targeting of 65 million users.
Malware writers, by and large, will choose the simplest method of distribution.
There are certainly many who target low-hanging fruit. But others have branched out, even into
completely unexpected areas - so it's a fair bet to say anything that can be targeted some day will be. While it is fair to say Steam will be a harder nut to crack than many, the scale of the possible benefits make it an attractive target to the most talented and organised malware groups.
Hacking into Valve's servers, modifying game/Steam code and triggering an update - one that would likely be caught and patched pretty quickly - is not a simple method.
Except that someone did this a few years back and wasn't discovered until someone else gained access and used it to spam Valve's forums in November 2011. And neither group has been caught so far.
First off, modifying game code would require that the people launch the game after the virus uploaded.
The Steam client itself
is exploitable so can be used to run software without user intervention.
