I'm fairly sure that completely separating system boot functionality and software reprogramming functionality was one of the first requirements of the rover software update subsystem!

Sticking the bootloader in a ROM is a fairly secure way to accomplish this.