The trouble here is that the user lighttpd runs as is configured from lighttpd.conf. The server supports running as the specified user.
For a new installation, I can understand how the package might assume a particular user, but once the system is installed, updates need to honor the configuration. If a package is already installed, it's a good bet that you shouldn't screw with the permissions and users associated with that package, during an upgrade. That means, don't re-create the www-data user, sure as hell don't give it a shell, and don't change the ownership of related files.
The package scripts could always grep out server.username from /etc/lighttpd/lighttpd.conf, but you shouldn't just assume www-data, and stomp all over an existing configuration.