Cisco (for example), you upload two images - the new one and the existing old one. If the new one fails to load, the device falls back and loads the old image, simple. Hell, if the packages aren't uploaded to the MT devices correctly, a SIMPLE MD5 checksum is enough for MT to dump the package file and not attempt to update the router, but nooooo. Then there's more complicated solutions too where NAND storage could be made to two partitions (one being for recovery software), again, MT can't be bothered.
i spent my 20 years of experience building BF networks with Cisco and Juniper. My last 10 years were infected with RouterOS. there are good sides, there are bad sides. the cisco world you look for is long time over. their big boxes run IOS-XR, which is more like the "windows of Internet", literally takes 20+ minutes to boot, and upgrades and SMUs are kind of nightmares in many cases, you may need to re-boot the box twice, remove conflicting SMUs. even Huawei manages that better. JunOS is far better on the ISSU area, basically their MX960 (and all MX2+ series boxes) were the first one i experienced to do ISSU as expected.
coming back to IOS-XR: the "single binary on the flash is decompressed to ram and booted" times are long over. basically IOS-XR uses the same concept as routeros, there is an actual filesystem on the flash (ok, not on linear NAND but say an SSD) and there's the filesystem the router will boot from. and updates modify that. and there are actual routers (3-4 year old asr9k boxes with RSP4G) that are not physically capable of hosting 2 different images. at some time it was a viable option to do Z/X-modem and upload stuff even through RomMon, but today's images are in the 100x of megabytes and even over 1GB. and those are not enterprise but service provider devices. and they seem to have the weirdest issues - like not being able to do packet fragmentation on PPPoE sessions, or simply discarding to big packages with DF bit set w/o sending the ICMP unreachable message. and it takes more than 1 year to get this fixed.
regarding the ASR1k, we have some in our network, not too many, but enough. they are pretty solid boxes. but the prices associated to them are way in another league. you can buy a CCR1072 for merely 3k USD, whereas you'll be charged 10kUSD only for IOS-XE software. and then come the licenses (right to use, and scalability). you may not use all 1G/10G ports available on the box, and so on. i just finished 2 asr1002-FX configuration. just the bare metal with 4x10GE ports and 4xGE ports enabled on it, it's a 2-slot pizza box, crypto module for up to 10G throughput, up to 16k users PPPoE termination and IPSEC licenses. guess what: the IPSEC box w/o PPPoE goes for 136kUSD and the PPPoE w/o IPSec for 153k USD. even if we get say 50% discount, it will be way more than 10x the price of the CCR, whereas the features are more or less in par. all this without support or access to software updates - that will cost additional 4-8% of the list price.
i guess the lessons are the following: distant devices shall have 2 partitions, and console access. and you shall upgrade one at a time.
to my best knowledge, routerOS validates the packages found on the disk before updating the base OS with them.
however i totally agree with you on that windows-ish toolkit: i hate it as well. you can get the device up&asking for the "net install" image, but you don't have access to that directly. you could (theoretically) extract it from the netinstall binary, but i would call it rather tinkering than actual troubleshooting. probably mikrotik doesn't want to hand out scripts which reveal how license management is done. i don't know, and i don't care. i just don't like this windows-only stuff.
i'd rather have a "netinstall image" feature set for say any (or a specific) mikrotik device with USB slot (say map2n) and deploy it as last resort to those locations to act as a boot server. cause getting transparent L2 connectivity is not easy from 1000+ kms. and this is required for netinstall.
OTOH, it just fell into my mind, and probably it would be faster/easier than ship the box back and forth.
start netinstall on your PC which is connected to the internet.
forward TFTP port on the outside of your router to that PC. set up CCR to use DHCP as boot protocol.
next to the dead CCR on any device (say a mikrotik with dhcp package) start dhcp server and set option 66 to the router's IP address and option 67 to the boot filename (/image?) and don't forget to send the gateway so the net-booted CCR will be able to access the internet. (if it is connected with it's net-bootable-if to the network).
it should be able to load the required stuff from your PC all over the internet and show up in netInstall.
or you could ask someone to plug any mikrotik device to the CCR's boot port and netinstall it over an eoip tunnel