Remember how in "a Fire upon the Deep" a ship carrying countermeasure that was taken out by the Blight? Latest openssl / debian fiasco and bugs like this show just how trivial it must be for a powerful adversary.

Wow, that is impressively evil. Maybe that's why vendors don't want to open their firmware.

I'm not quite sure I see the real threat here. Barring remotely exploitable firmware bugs, this family of exploits requires access to the hardware. No security model anywhere can protect a machine from an attacker with physical access...

From the OP:

2) as an extension to 1) above it is amazing to discover how simply firmware can be updated over the wire on specific NICs,

on specific NICs.

This is very important. The rich virus ecosystem that developed in windows did so because all windows installs are essentially the same.

Attacks on your NIC in not something I'd lose sleep over simply because there are so darn many nics. I have enough trouble simply getting the authorized drivers to run on a dozen nics of the same model number consistently. How much harder would it be to get an exploit to run over the wire on all but the tiniest fraction of installed nics.