If an attacker can take control of the update process, they can push a penis-showing (or actually dangerous) update to all the machines in the network. That could be hundreds or thousands! Good luck doing that with a pocket knife.
Also, vandalism is about the least interesting reason to hack kiosks. It can get you into an otherwise inaccessible network, which often contains all sorts of internal services with loose or no authentication (POS software often uses default creds because "it's on an internal netwok anyways"). Hacked kiosks are also often used as proxy servers for illegal activity and bots in DDoS botnets.
Did you read the article? This is about security on-device
The update process can be backed on the kiosk side, hacking the remote side of the update process is a completely different story.
I mean in some cases that was a simple signed package hosted on an S3 bucket... how are you going to leverage that to vandalize a network of devices?
And the kiosks are never on an interesting network (if they were there's dozens of ethernet ports scattered about the place you can use to get access anyways)
Hacked kiosks being used as proxy servers when you need physical access to hack is also a very uninteresting problem. Why risk tying your physical self to a bot for nefarious usage when there are a million and one other "IoT" devices you can pwn instead?
Also, vandalism is about the least interesting reason to hack kiosks. It can get you into an otherwise inaccessible network, which often contains all sorts of internal services with loose or no authentication (POS software often uses default creds because "it's on an internal netwok anyways"). Hacked kiosks are also often used as proxy servers for illegal activity and bots in DDoS botnets.