If it's a 2-person Chinese uoufit it will not cost $10K for a weekend. I've heard figures of a few hundred for most MCUs.
http://www.break-ic.com/index.asp
I have heard about similar numbers. If all it takes is what an average consumer easily has on his bank account and a few weeks patience, I can hardly imagine the trouble of development and added complexity is worth the hassle. Security theatre to fool yourself does not seem to be a productive route.
DRM that hampers paying customers, while not being a problem for organised opposition is not what I call a success. It makes sense to do it right or to not do it at all. Also, if FTDIgate teaches us anything, going after customers, even if they turn out to use fakes, is going to hurt you regardless.
Granted, there are a few different sides to this story and all have merit. I know of a few people who successfully deal with the problem by simply out-competing copycats by providing a better quality product and service and staying ahead of the curve by constant development. Admittedly, that is much easier to do with some products than others. The product being a critical application or in a niche helps.
Well, so now there is no point in using flash security hardware? So will encryption do? The encrypted firmware still needs to be decrypted to be able to run on the MCU i presume?
As far as I know, running code that is encrypted is not possible. You will either need to have the code stored unencrypted, or unencrypt it at runtime with an unencrypted key. Both the code or the key can be reverse engineered by the aforementioned method.
However, I stand to be corrected.