Then there must also be some authoritative, central places for distributing the client as well, these sites have to stay up and running as long as the network is, when billions of dollars are at stake or the governments get involved I don't think they will hold up so well.
That is true for bitcoin too. The point of signing the checkpoint is so that v1.0 clients will accept blocks after the checkpoint time.
The software could simply be set to refuse to accept new blocks after a certain height. This would fork everyone to update at the same time, which has security implications.
There is no difference between having the dev sign a new client and simply sign the checkpoint. Signing the checkpoint used up much less bandwidth.
Once the checkpoint has been passed, all clients, from the original dev or others, will simply hardcode the same checkpoint for the 50,000th block.
The checkpoint is part of the protocol.
What would happen to me if I have a possibly tampered Bitcoin client and a network with more malicious nodes than honest ones? I can always only give the client only the key for a test address, with a very small balance(which I got for free, say from a faucet) for a test transaction, then I will check all possible third-party soruces for the newest raw blocks(e.g., blockexplorer.com) if my transaction is mined, and have them verified locally using a random SHA256 implementation to see if these blocks truly meet a certain difficulty target. If they collaborate against me then it's not going to pass, if not then I have the real newest blocks and I can tell which nodes are honest to me, the worst outcome is I will lose my test coins.
If I use a PoS coin, then if I have more bad nodes then good in the network, a possibly tampered client, and all third-party sources collaborating against me I probably have no way to tell if I am getting the right chain, after all the first 50,000 PoW blocks are easy to forge after a few years with Moore's law.
Also with PoS what's really important is only the developer's signature, however many people you have to sign the checkpoint it's only the client signature validating them to be true.