Exactly. The front door is what the end user uses in the regular operation of the system. If there is another "door" imposed under penalty of law then it isn't the front door.

Every user downloads and runs arbitrary code constantly, as updates. In the far future updates might come with a formal proof of their security, machine-verified on download, but for quite a few years still we will be stuck with just cryptography.

A front door would be using Microsoft's signing keys. As long as you don't leak the keys, you aren't diluting security in general. A back door would be just leaving vulnerabilities around. It's a meaningful distinction.

There is a meaningful distinction between lawful imprisonment and false imprisonment; that doesn't make it accurate to call lawful imprisonment freedom.

Moreover, the ability of software vendors to push malicious updates is a security vulnerability. Just because we haven't eradicated it yet doesn't mean we should codify our inability to address it in the future, e.g. by allowing users to choose what party they trust to verify and sign updates.