IMHO, a much more reasonable approach would be to have a minimalistic bootloader running on a separate hardware with some kind of redundancy + a more or less regular system for the rest of the logic. If the cost of error is simply deploying a patch using a dedicated high-reliability channel, you don't need to suffer and restrict yourself to stone-age technology.