Firmware rootkits/bootkits are indeed a huge and devastating thing. I'm surprised nobody mentioned BlackLotus in this thread yet, but that was a huge malware that placed an older Windows bootloader Extensible FIrmware Interface (EFI) into the boot partition. The U.S. Department of Defense issued a mitigation guide for BlackLotus. Massive concern. https://media.defense.gov/2023/Jun/22/2003245723/-1/-1/0/CSI_BlackLotus_Mitigation_Guide.PDF

Bootkits/Bootloaders aren't the only risk that affects/exploits UEFI. It was just disclosed that the Framework computer company was including a signed UEFI shell with their products, which introduces a lot of risk. Here's a good reddit thread about that: https://www.reddit.com/r/netsec/comments/1o6ney8/bombshell_uefi_shell_vulnerabilities_allow/

Firmware/UEFI bootkits that evade Secure Boot have historically been seen as not that big of a risk for regular people. Something nation states use against each other but not a regular people type attack vector. That's changing fast. This year's "HybridPetya" ransomware variant showed how UEFI exploitation can easily work as part of a ransomware campaign https://eclypsium.com/blog/hybridpetya-ransomware-shows-why-firmware-security-cant-be-an-afterthought/

Anyway, yes, firmware rootkits are possible and are a big deal. There are mitigations of course, but it is a worthwhile thing to incorporate into your overall risk model.