> why not just modify it instead of adding physically observable devices to mess with it?

Look to the video game mod chip industry for your answer. Consoles obsessively verify system integrity from boot ROM to game launch. Most firmwares and OSes are encrypted, signed, hashed. Flipping bits in transit and perhaps only at specific times like system power on allows for the ROM to be read, verified, and checksummed correctly without detection of the implant. This makes the implant not only persistent, but stealthy. Even pulling the ROM chip and replacing it with a different IC would not remove the implant. And if the injection point were chosen carefully, implant functionality may reasonably be expected to persist across ROM updates. This is exactly the case with the PSNee mod chip I mention above. If I had to wager a guess, it'd be because the target, like console makers, was known to update and verify ROMs, which is SOP is any large org.

In terms of being physically observable... barely. You'd need an X-ray to find such a thing buried between PCB layers or inside another component. And not only that, you'd need to be routinely X-raying all your incoming equipment and comparing all the images. And even if you dug the thing out, you'd get a few dozen bytes of ROM out of it with no clue about who made it or how. Perhaps you might be able to determine origin for the silicon based on doping ratios and narrow it down to a few facilities operating at the right feature size. How many of us, upon receiving new equipment, immediately disassemble it to bits, individually x-ray each, then re-assemble it? Not many.

It's not a dumb idea. And whether or not actual evidence exists, exploiting the firmware on the board management controller is exactly the place where you can poke with the least effort for the greatest reward. That alone makes the attack plausible. Honestly surprised we haven't seen a BMC worm yet.