I'm afraid the answer to "why" is "because overall it would be worse the other way".
I do understand that it doesn't work well in your situation, but that case (blocking outgoing connections) is very rare. Over the years, using the new setup to do the update has helped us many times overcome various problems (a bug was found in the existing/old setup that would prevent the update to be performed correctly, or the update required functionality that the old setup simply didn't have).
Also, if a personal firewall blocks outgoing connections, the firewall rules may as well be based on file content (i.e. allow only a specific executable with a given hash to access the network). In that case, not getting the program update can actually be a better outcome - if the program was updated and a new version installed, the executables could be blocked, not getting even the virus definition updates...
I don't work on the setup part, but if I should guess, I'd say this will not change, sorry.