Re: For decades now
"add a physical switch to write protect the boot flash"
It's not practical to have to change a jumper to update every box - especially in large environments. Most corporates set Bios passwords which you would require to know for an update script to work - at least if it uses conventional update methods...
For partly this reason and also to make boxes mostly useless if stolen I always disable external boot and set Bios passwords on my own kit.
To remove a Bios password without manufacturer's assistance generally requires replacing a chip on the motherboard as I understand it so it's not perfect but it's a good start.