Well, you don't have that much choice of CPU manufacturers, if you want a 65W+ performance class CPU, so you do the best you can.
But anyway, there are many manufacturers that were happy to sell widgets without internet-connected software, and compete on the quality and price of those widgets in a fairly honest way. But when it became possible to embed software that can send data to the internet somehow, well various departments just could not resist demanding their engineers do so. Support costs can be massively reduced if you can just see what the stupid user did and remote in with the backdoor key and fix their misconfigured router/vpn/appliance (true story). And your marketing and product-planning teams are just severely hobbled by not having all the telemetry they can dream of, there's just millions wasted on team salaries and marketing spend if they can't get that user data sent to the SAAS marketing/crm tool they want. But when a car didn't have internet-connected computers in it, they just had to do without.
We trust CPU manufacturers to act like reasonable companies. They make some good stuff, that's how they make money. They're not fly-by-night ventures. They can't risk the huge investments in their brand and their business. And they're not malicious spies trying to screw with you via very tricky microcode. But if they can conveniently put some value-add in the hidden support cpu because the marketing or support team really needed it ...
It's about the continued leverage they have by holding the key after you bought the CPU. They could be forced by secret court to sign backdoored firmware. And of course you can't load your own firmware, only whatever they release and sign.
If they're generous they'll release a stripped-down version, sure, but that's still their choice, not yours.
Backdoored firmware isn't about updates. It's about rootkit or evil maid attacks that install backdoored firmware that has been signed by the vendor. If you're using your own trust root then a 3rd party can't create a signature, even under duress. Thus there would be less of an incentive to pressure the vendor.
Updates are a separate concern since you'll want them for bugfixes. So they should be reviewable, open source. And then you check the vendor's signature and replace it with your own if you want. At least that's how things should work.