To put this in perspective, a controller does not "go down" often. You will have maintenance like upgrades and reconfiguration that would involve a reboot and things like that you would schedule. For other people who want more protection, they would purchase a second controller to back up the first and if anything happens to the first controller, they would deploy a second controller. For customers who do not want a second controller, they would run their access points in Instant mode, that does not require a centralized controller... One of the access points would be the Virtual Controller that would be responsible for configuration and monitoring.
The big difference with instant is that every access point would have to be placed on a trunk for all of the VLANs that you are putting users on. The controller-based network would only require a trunk connected to the centralized controller.
There is no need to jump through hoops with bridged mode and Always on SSIDs to protect against a centralized controller going down, even though that does not happen often...