which run in an special protected mode of the computer and abstracts the attached HW interfaces so that a program can not control the HS directly but a well defined subset of functions on this HW by calling another program.
Lets call the first program "os kernel" and the second one "device driver", and let's call the mode of the processor "ring 0".
To be clear on it: i would hope that the monitor firmware is somehow signed. OTOH, hacking my monitor still would require to pass the device driver on the computer, so i am not terribly worried, since the 1 Billion monitors do not have a coherent interface to firmware manipulations, and the picture that a pixel "uploads code" is accurate only an very abstract level, since in most monitors these pixels probably are not processed in the memory which can execute code. Those institutions with enough programming capacities to hack these already would have had access (swapping packets at the post) before delivery to circumvent it all.