"but server rooms are some of the most secure places in any company."
Still, in mine people like janitors, electricians, air conditioning, UPS and hardware technicians can enter, and most of them are from outsourced companies. And unluckily the building manager, who has access, not always notify us when some of them are allowed to enter. A security guard may not notice if one of them does something "strange".
"BIOS injection would require a hook into the OS or the ability to control a reboot".
Do you know that most server today have remote consoles which allows firmwares to be patched and machine rebooted?