I rather suspect...
...the real reason for the HP utterances to reflect a current state of affairs, where suits all of a sudden became "aware" of several problems regarding BIOS password security, meaning they somehow acquired the dangerous amount of knowledge where they still don't know zilch, yet somehow just about enough to severely disrupt day to day operation with their opinion.
The facts:
There's two common ways to store a password (or a hash), as far as BIOS password security:
1.) The CMOS RAM.
2.) The BIOS flash
1. is the legacy method and suffers from the limitation that once system battery power is removed/disrupted, the password/hash will be gone, along with the information that there was one to begin with
2. suffers from the proposition that it should not be possible to render a PC unusable by incidents happening during a flash BIOS update. Since writing a password/hash to the BIOS flash can (in theory) be interrupted the same way as any BIOS flash update operation can, there is either:
2a.) If that happens, you are FUBAR
2b.) The board has a bootblock/"recovery BIOS"... whatever... which will readily allow one to re-flash the system BIOS and hence overwrite any password/hash, including the information that there was one to begin with.
There is more stuff suffering from this very same chicken and egg problem. You are either secure, but not recoverable, or you can recover, but are not entirely secure.
I forgot 3.) The password hash is like 14-16 bits and the latter is even displayed to the end user if, during compile time, you set some BIOS switches accordingly.
Takes the better part of a millisecond to create a password that produces this hash. No exactly "brute" force.