Re: needless complexity
all this hush-hush work should come 100% open
Where do you draw the line? I don't seen any reason in principle to trust the "real" CPU or its microcode any more than the "management" CPU and its software. I can see a valid argument in favour of 100% open hardware (though not one that would presently make much commercial sense), but assuming that one proprietary CPU is somehow more trustworthy than another, does not seem logical, especially if they're both on the same die or closely coupled.
large companies are going to be doing their remote management using IPMI to the BMC
The Intel ME and AMD PSP are (among other things) alternatives to the BMC. Do you know what that proprietary BMC is doing? Given that using the BMC you can at least in principle rewrite the operating system before it boots, I'm not sure how much of a security difference there is in principle between not knowing what the ME/PSP is doing while an unmodified OS is running and not knowing what a modified OS might be doing.
People see less risk in that which is familiar and mistrust the unfamiliar, but that is a risk in itself: we become blind to the risks that are, with hindsight, staring us in the face and of which several examples have received a great deal of exposure this week. There may be reason to be paranoid, but at least be uniformly paranoid!