I'd like to toss in my theory about the 'patches'. There are 2 questions here:
1. Why does MS upgrade via 'patches' and not just by sending the whole files and
2. Why don't they just patch the files in flash, but instead, keep the original files + patches in flash?

There are various good answers to question one, but I think the best answer is that it has to do with the limited space. Now, it is very easy to roll back the kernel: they always keep the original file, so they can hold various kernel versions in the Flash, because the patches are relatively small. If they wouldn't use patches, but complete files, then they wouldn't probably have space enough for 2 kernels !

About the answer to question 2 I am pretty sure: they simply can NOT patch the exe files themselves on the flash ! Because doing so, would break the signature, so they would need to resign the files and MS is not going to send us the private key to do so Besides, another reason would be that rolling back would be more difficult.

So, to conclude, the filesystem always contains the V1.0 version of the files (well: 2.0.1888.0 November 22, 2005 Original shipped version), plus the patches. The 360 scans for the latest patch, loads both the original exe and the latest patch, checks BOTH files for their signature (at least, that is what i EXPECT) and then creates the new, 'patched' exe in its memory.