What I am trying to cater for is the inevitable occasion where a customer does a firmware update that goes wrong and seems to "brick" the device, as the "app" nor-flash is corrupted and an in-app updater can't be run.
Back in the day when I was doing set-top boxes we would support updating many thousands of boxes via cable overnight. Of course, many of the updates would fail for some reason or another.
So we kept two copies of the FLASH image in the filesystem: The newest download and the last known good. On reset, the bootloader would load the newest download first if is is present; otherwise it would load the last known good. If the newest download failed to boot, it was removed (and be updated again the next night). If it booted successfully, it would mark itself as the "last known good."
That logic is pretty simple and worked well. Lots of other people in this list have dealt with this and perhaps have developed some better solutions.
