A good example of the double-edge sword of "softening" firmware through UEFI. Sure, you can update/patch it easily, which means, so too can malware. What UEFI has essentially done is to set standard procedure for malware recovery to "buy a new laptop."
That said, to pull off this other other attacks would require an initial compromise of the OS (so that it could then update UEFI). Granted that is not a huge hurdle given the range of vulnerabilities.