And the burnt-in spyware ?
Let's not forget the spyware - ahem sorry I mean security management facilities - burnt into most BIOSes. Yes the ones which can install their software into the guest OS, so that it can report back to the mothership and/or be remote wiped. I'm talking of course about Computrace. But there are others who have tried to join the market.
I can see the point of these - a bit like iLO and DRAC - but they are internet facing clients which in every other circumstances would be judged as infected bots.