How about a simpler rule like "no updates will install unless the phone is unlocked"? Such a rule would make discussion in the San Bernardino case moot. In response, the government would have to outlaw this practice and force device makers to retain the ability to push updates to a locked phone.
From what I understand, the discussion is about an update being installed through the low-level bootloader, while the phone being locked is a function of the higher-level operating system (which probably already has the "no updates will install unless the phone is unlocked" rule).
The relevant rule would instead be something like "installing any update through the low-level bootloader always wipes the encryption keys and the data partition". Normal updates wouldn't be through the low-level bootloader, so this rule isn't too restrictive.
Not that it makes any difference. The attackers in this case don't have to install the update in any normal way, be it through the normal operating system or the bootloader; they can instead desolder the NAND chips and write the update directly to them.
What I believe the attackers actually need is a signature from Apple. If the bootloader chain checks the operating system's signature, it won't boot unless it's signed by Apple.
