The problem with that is that you'd need to distribute an image everyone can read so competitors can clone your product in a heartbeat. End-user firmware updating needs encrypted firmware images.
It depends on the volume/profitability of the products and the risk of cloning. If the MCU is but a small part of the widget, then it may not be a bad idea.
But you are correct in the general case. Symmetrical key encryption can take as little as a few K bytes so not a problem.
While that is the case, you need to consider where that key resides. It's useless if someone can read the key with a JTAG emulator or sniffing or lifting a serial eeprom off a board. It needs to be baked in write once and write only somewhere, and JTAG needs disabling to prevent third party code being uploaded and sniffing about. Typically the use of firmware individually generated and tied to a unique baked in write once serial number is going to be more secure than a generic file, but equally that demands some infrastructure to support unique firmware generation.
Also be wary of code protection schemes, some of them can be circumvented quite easily.
Sometimes you need to consider whether it's even worth it at all. While I realise there is a school of thought that says everything should be open, at the end of the day you have to pay bills and keep a roof over your head. I've had two of my projects ripped off over the years, one was fully open source for non-commercial use which ended up keeping a few individuals will fed and watered at my expense, and the second, which had an open API, was ripped off by circumventing a chip's code protection (by running the device outside of documented parameters). In either case, there is little you can do, I don't have the resources to fund an IP lawyer, and even if I did what is a cease and desist notice going to do to someone on the other side of the planet?
One possible way is to make use of certain vertical market proprietary devices that are only available from the manufacturer. If someone rips off your design, you can usually ask the manufacturer not to supply the perps. The downside is that you're tied to a single vendor/manufacturer, and if it's a limited market part, you have to be careful about that manufacturer keeping in business and the lifetime of the part.
For me, the jury is still out on the value of IP protection, as a designer and OEM I can see both arguments. What I find more than a little concerning though are the black and white attitudes of a
few open source nazis, almost certainly with too much time on their hands, who sit in their utopian ivory towers mulling over world peace and defeating poverty while dictating to someone they've never met that a project should be completely open, and that they should sport unnecessarily large beards and wear socks with their sandals. The world is rarely that simple.