I'm fairly sure that completely separating system boot functionality and software reprogramming functionality was one of the first requirements of the rover software update subsystem!
Sticking the bootloader in a ROM is a fairly secure way to accomplish this.
I'm pretty sure they have a duplicate hardware setup for testing beforehand and debugging problems, which ought to help avoid such problems, and help fixing problems that arise.
Sticking the bootloader in a ROM is a fairly secure way to accomplish this.