This is why you use VMs. If malware hits the disk, it is going to find a generic HDD, like a VMWare Virtual drive, and that vector of attack stops for good right there.
We are almost at a point where we should virtualize everything, and what sits at the bare metal is a hypervisor, where there is a definite layer of separation between the OS and devices. This way, a compromise on the OS level won't allow hardware to be tampered with. If there is a firmware update needed, then it should be made available for manual flashing that takes a deliberate set of actions by the user (or via remote, using some administrator certificate) to ensure that a firmware update is authorized.
In fact, virtualization on newer machines is more of a "why not?" item, than a "why?" item. For example, Windows 8 and Windows 8.1 have Hyper-V available with a switch setting and a reboot. With a little bit of work, one can have one instance of Windows just for Web browsing, and the browser would be a seamless application. The advantage of doing this is that if/when something nails the Web browser and gets a user context, rolling back to a snapshot/checkpoint is pretty easy.
A good example of this was when I was browsing in a VM a certain social network without an ad blocking extension in the browser... 10 minutes later, that VM was slammed by malware, likely from an ad server that was serving up exploits. The fix was two clicks and a confirmation dialog away. Of course, if malware isn't detected, that is another story, but for browsing the Web, it is wise to just roll the VM back every so often anyway (at least every month for Patch Tuesday's festivities.)
What would be nice is if PC makers could allow one's choice of hypervisor to be installed on a dedicated SSD that either is physically set read-only and read-write by a DIP switch (with preferences and system info stashed on a separate writable partition), or similar functionality. The advantage of this is that the hypervisor would be pretty much static except for occasional updates (and the update mechanism can be made decently secure), and hardware would be isolated from the VMs.
If a device does need a firmware upgrade, a mechanism at the hypervisor level would address this.