At my previous job who does PHP hosting, I set up vsftpd with SSL-only connections specifically so that WordPress could be updated without needing to make the installation web writeable.

If you look back on security issues that WordPress has commonly had, a lot of them have been remote code execution vulnerabilities, which are the result of doing things like this.

We even went as far as to set up Suhosin to disable the ability to execute web-writeable files, as a common attack method was to upload a file and execute it.