You must leave the files in the update directory because your existing root/concrete files are not actually "Updated" instead the files in the update directory are used,
The only way the files can be deleted from the update directory is if you replace the root/concrete folder with the one in the update directory AND amend your site.php accordingly....

Isn't it a security risk to have an update directory with fairly wide open permissions and having critical files that are being used in the update directory?

I think a lot of this goes into server setup as much as anything. We currently have our updates directory set to a 664 permission. When a web request is made it runs as that user so it has access do the updates directory, the files directory, etc.

Typically the biggest security problems I see are poor programming which allows malicious code to write to these directories (and in concrete5's case if this happens they could just as easily go inject their code into the cache files or uploads directories) or poor server setup and bad file permissions (such as allowing users access outside of their home directories and setting the updates folder to a chmod of 777 which then lets other users access your site).

After you have upgraded you can delete any folders in the updates folder that are not defined in your /config/site.php file. In the example below if my config file had the line below, I would not want to delete the /updates/concrete5.6.1/ because it is being used but any others would be safe to delete.

define('DIRNAME_APP_UPDATED', 'concrete5.6.1');

I will frequently go through and delete old updates after some time has passed and I know that the newly updated site is working and I won't need to revert.