However, for any organization which will use WireGuard, even if admins are very effective at applying updates, updating all the endpoint systems simultaneously is not realistic. At the same time, it may be the case that the organization can't afford the downtime, in which case using WireGuard will simply not be an option, which is too bad.
Fixing any crypto weakness will require kernel updates and configuration changes. A very easy config change, compared to all the other work you'd have to do if a flaw is discovered that forces a different crypto algorithm, is "use a second WG instance with a different UDP port".
A script that monitors connections to the new WG instance and auto-disables the associated peer keys in the old instance is easy enough to write.
Problem solved, no downgrade attack possible.
-- -- Matthias Urlichs