There are no vulnerabilities that can only be used by certain people. You know that.
I am not saying it’s a good thing to not have these microcode updates, although some people in some circumstances decide that they don’t want them. There is also the issue of these updates themselves being closed source and not available for audit.
It’s imperfect choices all around. Coming back to @adw’s question: if we make microcode updates a requirement we end up with a list that has only the ThinkPad P51 and the Purism Librem 14 on it. Once we start making requirements in that direction, we should also require at least a minimized ME. That would result in the Purism Librem 14 being the ONLY computer currently than can be recommended.
I am sure you would like that, but I am not sure this would be a good thing for the project.