UEFI is a specification; exploits are necessarily against implementations thereof, not the spec itself.  Tianocore is a partial reference implementation of the UEFI spec, and the package built for use with coreboot an even smaller subset of that (since it completely skips the PEI phase).  So unless you can provide evidence that UEFI-targeting malware exploits specific features (or bugs) implemented in Tianocore as built for coreboot, then it's not accurate in the least to say that "UEFI malware exists, Tianocore is UEFI, so Tianocore is vulnerable to all UEFI-targeting malware."

And certainly, traditional/legacy payloads not being vulnerable to UEFI-targeting malware does not make them de-facto more secure.

Vulnerabilities/exploits/attack vectors, along with mitigations, etc in open source firmware is certainly a topic worth discussing.  But let's base that discussion in fact, and leave out the drive-by implications of security not being a concern based on payload selection for a given use case.