Recently I had an interesting discussion with a system administrator who is responsible for several hundred PCs, Routers etc.
His argument was: Imagine it would take you 15 minutes to install a patch on a computer (all windows machines of course...). If your company has 1000 computers and you send one admin to install the patches, it will take him >31 work days, working 8h a day. That's why, he said, companies are interested in software allowing them to install stuff on the OS / hard drive remotely through the firmware
I, not dealing with large networks, had never thought about it this way. But it does make a lot of sense to me, it's about real money (as usual).
So I guess that's indeed a huge reason why Intel and AMD created Frankenstein, running below UEFI and Kernel. It probably doesn't explain so much why it's necessary to disallow you switching IME off or why it needs control about absolutely everything, but that's a different story.
So I'm wondering: What would you do about this reality? Could there be a different solution other than software in Ring -1 having its sausage fingers on everything? Sure, the programmers in a company could install their stuff on their own, but the office folks, the HR and PR guys and the lawyers? Hmm.
And whether we like it or not, even awesome companies almost exclusively supply their employees with windows machines and they just demand solutions allowing their IT-departements to fix everything as cheap and as easy as possible
P.