"(else what if the bug that is being updated is within the code that allows an update)"
You're right of course, but I would consider that a special case, very unlikely to ever occur and if it did, then the postal system is always there as a backup. For the vast majority of updates, only the ‘command interpreting machine’ will need modifying. It must be a trivial matter to isolate this part of the system from the bootstrap and comms part.
I have several PIC programmers, and would be happy to use one for Picaxe firmware updating (it’s not hard to build one from scratch), though I’m not convinced that it can’t be done with the normal download lead.
Additional security (encryption or whatever) would use up more program space, but as has been noted in other threads, the X2 parts have plenty.
How about .... A one off executable could be produced for each update. It contains the encrypted firmware plus the comms and security program. You download it, run it, use your unique one time access code that has been emailed to you, and the update program sends the encrypted update to the Picaxe through the programming lead where the internal decryption takes place. There you go. Completely safe