Related question about this, with apologies if this is a dumb question. For small to mid size tech companies (say small startups to 1000 employees), what are the general recommended IT procedures to ensure application software like this is updated across the company?

That is, every company I've worked at has had some form of device management software on their laptops, but that software only ensured that the OS and some specific "managed applications" were always patched. For developers, though, we never had fully "locked down" machines because they made our job so much more difficult (that is, more than other departments we'd often be installing and running new software).

In that case, are there some specific corporate controls to ensure nobody is running an unpatched VSCode, beyond messaging all engineers and saying "you better make sure your VSCode installation is updated, or else..."?

This isn't what you asked for, but one of the systems that Google uses internally has system to report the hash of every executable launched and block executables it isn't aware of.

A binary authorization system for macOS https://github.com/google/santa