Android, actually, is trying to get it right by a) being a platform so 
that common security updates are available from the platform owner, and 
can be applied to everyone's system and b) having a secure remote update 
method.

The problem with implementing systems such as this is obvious.. If the end 
user cannot upload their own firmware, because the host has a hardware 
mechanism for checking the signature of the firmware, that's not good for the 
end user, it's harmful. It would mean they don't actually own the system, the 
vendor does.

Yes, but it it's too easy (and can be triggered remotely) it becomes a huge problem.

I also want to be able to load alternative firmware---but it has to be difficult, e.g. by requiring to disassemble the device and physically access the electronics.