And what about those BIOS/EFI firmware-based hypervisor rootkits? If someone is able to gain root access in a given system that is somehow "vulnerable" in such way that a permanent EFI (or similar) rootkit can installed, then you'll be fucked even with the read-only media and all.
Speaking of which, I don't understand why manufacturers are so eagerly adding all this new intelligence into the firmware. What do we need it for anyway? IMO it would be so much simpler from security perspective, if the OS would be at the bottom of it all. Added complexity adds new possibilities for exploitation.