Multibit do use servers that let people download the client. If these were compromised then anyone who downloads the client while the servers are compromised could be infected with bitcoin-stealing malware and/or the client be backdoored. This can be prevented by checking the download is signed by the Multibit developers PGP key before you install it.
Electrum receives it's transaction data from special nodes (which anyone can run), this is for privacy purposes as with SPV the node you get your transaction data from knows what your Bitcoin addresses are, so it's a good idea to only use a node that you trust instead of randomly choosing them each time you make a tx. Electrum still connects to 8 normal Bitcoin nodes to get block headers to make sure that the electrum server you use isn't leaving any transactions out, so it's difficult for the node to do anything malicious.