In case it helps anyone I've realised what I was doing wrong here.
The main “problem” was that one of the updates included in Cumulative Hotfix 4 is APSB13-03 (http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13 -03.html). I knew this changed the behaviour of RDS but my knowledge prior to this work of ColdFusion and in particular RDS was very limited, and so I didn't understand the implications of this hotfix. What this update does is disable RDS by default; I wasn't really aware what the RDS status of my server was prior to the update, partly because before this update there is no "disable RDS" tick box to show whether it is enabled or disabled. With RDS disabled, you can't browse as the update instructions require you to do. Obviously RDS was enabled on my setup without me realising it.
My understanding of this wasn't helped by the fact that when I tried to paste a path into the box and hit the "update" button I got a different error, which I described in my original post. Similarly if I tried to change RDS settings, or do pretty much anything in the administrator, it failed and logged me out in the same way. It seemed to me that the whole thing was broken by the updates and I didn't know how to fix it.
So, following the excellent advice of Charlie Arehart in two articles: http://www.carehart.org/blog/client/index.cfm/2010/12/12/cfmyths_cumul ative_hotfixes and http://www.carehart.org/blog/client/index.cfm/2011/10/21/why_chfs_may_ break, I went back to the start and installed the cumulative hotfixes one by one. Although I don't think I actually needed to do this, as Hotfix 4 seems to contain all the previous hotfixes, it did help me realise that the browsing/RDS issue and the error and logout when I tried to do anything in the administrator were two different problems. After further bit of googling I found people suggesting that you should use https to access the administrator, but the shortcut I had was taking me to http (as far as I know I was using the default shortcut). I found that by going to https the problem of being logged out when trying to do anything disappeared and I could put a UNC path in to update the .jar file for the next update. I also was now able to enable RDS for single password and could browse like the hotfix instructions advise. I've since disabled RDS and accepted the inability to browse as a "feature", happy that it's more secure as a result.
So my “problems” were largely self-inflicted due to my own ignorance of the product, but it wasn’t helped by Adobe’s apparent inability to grasp that there may be similarly ignorant people attempting these updates. It would have been nice to see some guidance from them. Furthermore, the cumulative hotfix 4 page (http://helpx.adobe.com/coldfusion/kb/cumulative-hotfix-4-coldfusion-90 1.html) doesn’t even mention RDS, let alone that the default behaviour changes. It’s only when you check the individual hotfix information that you can see the information that helped me to realise where I was going wrong.
As for using https not http; great, but if I’m right that my shortcut is the default out-of-the-box shortcut, where’s the information to advise to change to using https as a result of one of the hotfixes included in hotfix 4 (originally, I think, hotfix 2)? It’s certainly not mentioned on the page for cumulative hotfix 4.