When you're signing a binary blob, protecting the private key is actually pretty easy since it can be air-gapped/offline. Or heck you can buy appliances where they'll perform specific functions using the private key but won't expose it themselves without physical intervention.
If I were a mega-corporation protecting a firmware private key, your name would have to be Tom Cruise to get it. Though unfortunately responsible corporations seem to be as rare as real-life Tom Cruise characters, so I guess it's a valid concern you have.