[devrand]

Downside of this is that you could end up in a different broken state: ex. What if the original firmware now has too old of a CA bundle?

This could be avoided by using your own PKI for updates (and bundle your own root), but I assume most devices out there are using Web PKI for updates.

[0x0001]

Better write a firmware to avoid this problem i have written in the past firmware for devices that don't affect the user experience including CA's, server domain or ip and other parts that don't require a full firmware update, better to "waste" development time thinking of all future problems that are out or your hand than bother the final users IMO. As a developer you should think every problem you could face or you aren't using the best practices of software development.