Sorry for pulling up an old thread again, but this just echoed my thoughts very well...
An easy way to upgrade is really needed. The five step upgrade might be easy for anyone that likes hacking code, but for any non-programmer that just want to install a blog and make sure it is updated and secure, the upgrading can seem scary.
First thing that needs to be done:
Remove the subfolder in the zip file. This is a real annoyance. I never install WordPress in a subfolder as I run it as the main CMS on the sites where I use it. So upgrading is always a pain. Installing in a subfolder is again no problem if you are a programmer, can fix your .htaccess so nobody will notice it etc. But generally it is a bad idea to force this on people. If you want it in a subfolder, then create the subfolder of your choice and unzip it there. Most people do not have shell access to their hosting account. But many have cPanel. And in cPanel your only option is to unzip as is...
Make increment upgrades available (is this the right word?).
Any older than 2.0 will have to upgrade to 2.0 first.
This system is being used for Joomla at the moment and works great. Takes the whole problem out of upgrading. Just ftp the upgrade to your root installation and use cPanel to unzip it. Done.
A good upgrade function in WordPress would be to have a tool that check the WordPress.org server for new versions and alert you when you log on to the admin panel. Then have a button that download the upgrade and unzip it. Basically a little more automated version of the one above. This method only deals with WordPress files, so it does not matter what OS you are on.
I think we all can agree that keeping all WordPress installations secure is a must. But with the current way to upgrade, a lot of people do not fix things until it is broken. And this has to be addressed.
The reason why I do not like unzipping and rezipping to get rid of the subfolder, is that I am hosting my websites on a Linux server, and doing anything to files on a windows PC tends to always break something...
BTW - I have noticed that some people do a diff and make it available online. This is fine, but for security reasons, this should be done by the WordPress team.