First off, why should I trust an Anonymous Coward that has provided precisely zero citations for their claims?
But secondly, pray tell, -how- is it easier? The vulnerability could be exploited by a simple bit of malware on a network admin's computer that waits for them to connect to the Cisco UI.
Whereas I imagined that if there was a vulnerability in a security-sensitive chunk of code that the manufacturer would send out an announcement to affect customers and/or news sites. The affected customer would then enter their serial number onto a page to request the updated chip, when the chip is shipped, they get a tracking number. Exploiting this method would require somehow waylaying the shipment and replacing it without the shipping agency getting wise. The package itself could also contain a number of anti-tampering measures. They could even etch the serial number of the system the chip is intended for onto the chip (Which would require the malicious actor to already know the serial number). Most systems will also output the signature of the various add-in ROMs the BIOS hand execution off to, which can be done here. Maybe include something in the BIOS that if BIOS signatures change, it notifies the operator. So that post-install, a message pops up and gives a sha256 and crc checksums or something, which can be matched with data sent by manufacturer in an email or posted on their website.
At the very least, requiring a physical item to be replaced would generate all sorts of change management procedures, downtime to be scheduled, etc,. Someone is going to notice a piece of equipment being taken down while no one is going to notice that some hidden bit of software has been modified.