It boils down to this: except on the BSP the smihandler code will execute code at a random location, but most likely at offset 0. With some carefully crafted code a bootloader or the OS could place some code at that offset, generate an SMI on an AP and get control over SMM. More recent silicon has hardware mechanisms to avoid executing code outside the designated SMM area (TSEG) so those would not be affected.