Therein lies the problem.
"They are just executables to be run through your patch management software like any other executable."
Flashing a new BIOS has just become too simple especially compared with the early days when you had to program a new EPROM and replace it on the motherboard. Of course in those days it was due to the available hardware rather than a need for security.
The advent of cheap flash memory has simplified updates to the point where they can occur without the user noticing anything untoward. The ability to flash needs to be restricted by a physical switch that the user has to place into 'maintenance' mode and then reset back to 'operation' mode. With both access and intent being necessary this is about as secure as things can get without being overcomplicated.