Because there is in general nothing to authenticate the hardware owner in contrast with the usual OS users/admins - that the model consider corrupted, and because it is designed to msot of the time prevent modification by even admins (allowing only modifications signed by the hardware manufacturer), if a security hole is discovered and exploited it is not very easy to revert the system in a good state; it can even become completely impossible if the malware patches the security hole after having exploited it. So it can then sit there, unremovable, and with ultra-privileges. The situation is similar to infected android: because of the security model it is not supposed to happen (most of the time, there are often "bugs" even in the informal model), but because software are full of security holes once one is exploited it is less easy to remove the infection than it can be on a PC.

This is for this reason that the security community consider the Intel Management Engine a huge security risk, and the situation is only marginally better with x86 firmware using such "security" features.