The only road to a truly secure BIOS probably goes back to the 1980s when BIOSes were compact, tightly coded and burned into a chip by physically blowing internal fuses, They were not alterable except by replacing the chip.
Perhaps we need to go back to BIOSes that are not field upgradable. Of course that would require BIOS code that contains no vulnerabilities. And we don't actually know how to write that.
Seems that we're kinda, sorta -- Screwed.