I'm not an armchair engineer, and have designed real products.
Loading a file with a particular name is fine.
But checking the file for signatures or other validity marks is mandatory to make sure you don't load bad data.
So, there's really no excuse.
On the other hand, I'd wager there's a secret three-finger salute (button-press) you can give it, to make it boot the proper file.
I'd doubt it's as broken as it appears.
If it really needs a JTAG to fix it, then that's a poor design (which I doubt).
You should be able to recover in the field.
It's preferable to keep a dedicated thumb-drive for each receiver.
That way, there's no chance of mixing up the executable or data files between different brands.
This last point is just my personal preference, but it helps.