combine SRs:
I'm sure they could.  Why they don't, I don't know.  There are certainly to reasons on both sides of it, to patch or not to patch.

dowload manager:
It seems to me that this was done to have one download system, regardless of retailer that doesn't rely on website access where a connection could be broken or to remove funny behavior of this web browser versus that web browser.  I'm not defending or detracting from the download manager.  I do think it should remember your serial number, but that's also the least "safe" option.

upgrade from rmp:
Can be hard to keep up with depending on how many retailers/partners.

your isolationist situation:
You've put yourself in an uncommon scenario and therefore the extra hoops come with that territory.  So you'll have to deal with transferring downloaded updates/content/whatever from your net-capable machine to the one that isn't.

If you were instead to defend your main machine from threats, I don't think you'd have that much to worry about, in general.  That doesn't mean something unlucky could happen but in mosts cases, it's doing things like opening attachments from sources you aren't sure of, traveling to questionable sites and/or not having up to date or decent protection.

Your stuff isn't going onto the internet unless you put it there, use a synch/cloud service, and/or aren't adequately protecting your machine.  I personally also avoid to put any of my important stuff into any kind of Windows common folders like "My Documents", "My Games", etc.  To me those are high target areas.

I don't think at all that those places/stores would intentionally drop a trojan or other malware but places do get hacked/infected, so you're still taking a risk.

But all-in-all, it comes down to choice and you have a specific way that you've elected to do things and you seem comfortable with it, so it's not wrong, just uncommon and a scenario that is going to require extra steps.

.