embedded system updates

I have read in various parts of the newsgroup where advice has been
given not to use the package file system in an embedded product because it
is overkill and slows down the system. So without the use of spill files, if
I use a link for all of my component executables (say component →
component.1) , then I can update the process run on boot up by putting
component.2 into the directory (thus not overwriting the current executable)
and merely point the link to this. This is non-destructive with the
exception of the link re-write. I am obviously interested in system
integrity here (i.e. if the power goes down whilst I am updating component
links, I still get a working system).
Does anyone have any comments or better suggestions as to how to
implement in the field updates bearing in mind that the units themselves are
often inaccessible but have IP connections? I haven’t really looked into
this in any detail and would appreciate anyone with experiences to share.