Extensions and NPAPI plugins are very, very different, as are the associated risks to users, and they therefore have different policies.
Extensions can't be silently installed because that ends up being used to install malicious extensions that do things like change browser settings and make them hard to change back, easily harvest sensitive information from sites users visit, inject extra ads on every site the user visits (and/or replace ads that support sites with ads that just pay the malware authors), etc.
NPAPI plugins, on the other hand, do absolutely nothing in the browser unless specifically loaded by a page. They aren't particularly interesting as malware, because the added capability that NPAPI plugins give you is the ability to run native code. But if a malware author can get someone to run an installer to install the plugin, they could just as easily install something else instead that runs native code continuously in the background, rather than only when a user visits a site that triggers a plugin (and they can much more easily hide that than a plugin, which has to be in a known location, and shows up in Chrome).
The danger with NPAPI is around exploits of already-installed, non-malicious plugins, whereas the installation of malicious extensions is a real issue.