@niggy >because it lacks modern uefi security features
The thing is, if you want to achieve security, the only way to actually achieve that would be to install a actually libre version of libreboot, set grub to only boot kernels signed with a gpg key and then write protect the SPI flash chip (or get such burned into a ROM chip if you want to be sure).

On the newer, ultra proprietary boards, despite all the signing schemes they use, it seems that there's always somewhere to install malware in a way that bypasses the signature check - while you're looking pretty good if you have a motherboard with the only significant storage is the SPI flash chip and that's write protected.

grub gpg boot is much better than secure boot really.