If these hacks did in fact come from wordfence, it is a good reason not to allow auto updates.
Oh gosh, no don't take that attitude. Not upgrading MailPoet is how many WordPress installations were compromised.
No plugin auto updates, you have to initiate the update via the WordPress dashboard. But when an update comes out you really need to backup your installation and perform that update. Doing that will keep your installation safe.
Not doing that leads to your site getting compromised.