Funny you mention that, because my first thought when reading that he submitted a report to the vendor was that they'd "fix" the problem by requiring firmware uploads to be signed (in which case it's "secure" because only their service techs have access to the private key, IOW, security by sternly worded written policy).