WMI and Patch Management

It seems like the new patch management platform used by the ITMU stores the patch information in WMI. This certainly speeds up the scanning for necessary updates, but I cant help but wonder if this will lead to security problems down the road.
When the Windows Security Center came out in XP, it was quickly discovered that you could spoof antivirus and the firewall by changing the information stored in WMI. Microsoft responded that WMI is protected by an ACL so that only the local Administrator can modify it, and further if an attacker has local administrator rights, then you have bigger problems than WMI. I say why help the attacker remain undiscovered and unfettered.
Does the local administrator need to be able to change those settings? Is there a way to do this so that only the scan tool can update WMI. I just fear a worm that disables the antivirus and the personal firewall, and spoofs WMI so the user thinks they are protected. Not only that, the patch info could be spoofed so not only does the user think they are patched, but Windows Update and SMS agree. Will Windows Update still check the registry entry and the file versions? It sounds like ITMU trusts completely in WMI.
My officemate pointed out that its even worse than this. Software will have vulnerabilities. What happens when someone is able to hack WMI to modify this info without local administrator rights?