Putting the serial number in the same flash chip as the main
firmware is a cost reduction measure used with desktop and other
low cost boards. I have even seen a board where the MAC address
lives there. The only protection for those items is that the
flash utility given to the end user knows to skip that area.

The way I have seen the serial number programmed is at
manufacturing diagnostics time. The board is PXE booted to a
diagnostic image. The image runs a script that first erases
the entire flash chip. It then programs it with the OEM firmware
image. The OEM image contains a blank serial number. The script
then prompts for operator input. The operator pulls a barcoded
serial number label from a roll and attaches it to the board. The
operator then scans the label with a barcode reader. The script
uses the barcode data to find the serial number in a database.
The script then runs a special flash utility that reprograms only
the serial number portion of the flash chip.