I did find these notes suggesting the use of the followkernel flag which sounds like it would automagically maintain the initrd file with upgrades. But it comes with the same feared caveat, the possibility of a failed upgrade causing a loss of drivers. So I think next I will try a script that does not use initrd or initramfs such as this one.
https://wiki.debian.org/RaspberryPiInitramfs for custom loading of modules at boot does work, but you must update it everytime you use rpi-update, this way:
mkinitramfs -o /boot/initrd
In the Raspberry Pi 2 you must also include this in /boot/config.txt:
initramfs initrd followkernel
And this is /boot/cdmline.txt:
root=/dev/mmcblk0p2 initrd=-1 dwc_otg.lpm_enable=0 console=ttyAMA0,115200 console=tty1 elevator=deadline rootwait
Because rpi-update is not the official way that Debian updates the Initramfs, you may find weird things happening when you update rpi, so if your system becomes unbootable because there is a needed module in the initrd that you need (like encryption), you must boot with another up to date sdcard, chroot into the new environment, mounting first /boot and /dev, and then update the initrd manually. This just happens because of the privative special way of booting of the Raspberry Pi, out of any reasonable standard.