As you are probably aware, security is not an "on/off" type arrangement and you always need to make compromises. When the TurnKey Linux appliance was first developed (many years ago, prior to WordPress supporting 'live' upgrades) the file permissions were set to maximise security (at the cost of user-friendliness; but easily worked around via the commandline).

But as WordPress has evolved, the 'user friendliness' cost imposed by the choice of security settings has risen. In some respects it could be argued what started as a security plus has actually become a security minus. Whilst the risk of a compromised WordPress install hijacking the whole server is reduced; the chance of an out-of-date WordPress install getting hacked in the first place is increased...

The new (not yet released v14.0) version of our WordPress appliance reworks the permissions to allow easy in place upgrades. It does come with the 'price-tag' or reduced overall server security but users will find it easier to keep WordPress up to date so the risk of WordPress being compromised are less (so long as the user actually applies the updates!).

But to get to the point, there is an extensive post covering how one might go about "fixing" the security settings of the current appliance (including a lively debate about the pros and cons). Have a look here. This post specifically covers the steps to take to enable browser based upgrades.