A critical vulnerability needs to be fixed one way or another, and if breaking consensus is the only way, then that clearly warrants a HF. In what way would it “not be possible to upgrade”?
See my reply to Grumpy above. I guess I was being imprecise - it would always be possible to upgrade, you release a binary and you run the upgraded software, and you have upgraded. The problem would be getting the rest of the network to upgrade with you.