validating your updates via asymmetric crypto can be mildly expensive (http://www.verisign.com/code-signing/content-signing-certifi... lists Windows Authenticode certificates at $400/yr) but is within the realm of a small company.
setting up a Google-scale CDN and writing a reliable push update framework? that's the hard part.
That's VeriSign for you. Thawed sells the very same certificates for $200, and Comodo runs a coupon deal for Tucows members that gets you the cert for $99 (though the actual process is a bit too contrived compared to Thawte's).
update verification is a < 100-line block of code using system cryptographic libraries on Windows.
for Chrome-style background updating, the solution is as simple as:
1) running a thread in the background to ping an API to check when updates are available, 2) downloading them via HTTP when they arrive, and 3) having a program which gets run at update-required-exit, which verifies and applies the patch to your main executable.
yes, writing update machinery for your software is some work. no, it's not insurmountable, and will certainly get easier as the Mac App Store and Windows Store gain traction because they allow you to piggyback on the update machinery of the platform.
