Regular backups are the best protection.
Relying only on Dropbox is actually a bad idea, since the ransomware would probably encrypt the files in your Dropbox folder, from where they would propagate to all your other devices (although depending on how the ransomware works, you may be able to retrieve the unencrypted files using Dropbox' versioning feature on their web page). Always keep offline backups of the files as well.
Malware in the past has been distributed via the App Store too. I guess the only liability lies on the authors of the hack unless maybe the server was so insecure to constitute gross negligence? I doubt it and I'm not even sure it would be a realistic case even if it were indeed blatantly insecure.
Because the attackers used a security hole that they didn't know about.
Good to be safe -- though if you hadn't, you'd be among those who weren't effected. The less lucky downloaded the install file and ran it -- that's when the ransomware was installed. Those who autoupdated are OK.
In this case it wasn't possible to install from the app store, since Apple doesn't allow Bittorrent clients on the store for some reason. So I guess you could also blame Apple.
Apart from that in this case only the manual downloads were affected, not having automatic updates also means you would not be getting the update that includes a malware removal tool. Generally, the likelihood that updates fix security issues is much higher than that they introduce them. An argument can be made to wait a short time after the release of any update (with a longer time more appropriate the more substantial the update is) but this requires active monitoring of any discovery of issues for every software update.
Actually software like Little Snitch is quite easy to bypass for malware (see e.g. slides 50 and 51 in this presentation from the Black Hat 2015 conference). Once a machine is compromised, you cannot rely on any software running on that same machine.
