But now we can have malware hijacking our firmware, seamlessly through standard kernel APIs.

Is this really an improvement? Is it worth it?

You would require root on the machine, and if you have root anyway...

Anyway you can already flash the firmware, just without a standard interface: either with the uefi copy thing, or with a proprietary tool.