It's a non-issue if you're not using windows. Basically it's a windows "feature" where if a certain ACPI table is present in the firmware, it will download and execute it. There isn't actually any malware/spyware executing on the firmware itself.
The intent is that manufacturers would use this to provide critical drivers for windows users. Stuff that wasn't on the retail OS cd, but you would need to get to windows update. Or something, I dunno. Of course, the race to the bottom being what it is, if you can get $20/unit to put sketchy garbage in it, it's going to happen. Just because you're paying for something doesn't mean you're not also the product.
AFAIK the original purpose was for anti-theft solutions (eg. computrace) to re-install themselves after a wipe. Before this, they would mount the boot drive and rewrite chkdsk.exe (which gets executed each boot) with their program. That way, their tracking software stays on the system even if you wiped the computer.
The original intent seems OK. Why the hell does this mechanism need the capability to execute arbitrary .exe files and not just load the most basic type of driver required (INF/DLL/etc. whatever Windows calls it)?
A DLL is also executable code; there's really no difference between that and running an arbitrary EXE. Inf files are slightly different, since they're just text-based configuration, but I doubt that you could get your theft-recovery (or whatever other) functionality using just configuration of something built-in.
When I play movies I've paid for on my iPad I've paid for, if I want to screenshot frames from them to share or reference or meme, the screenshots come out as black rectangles.