Even if it was exploitable, it's not like Intel can fix it as they have no mechanism to revoke the old version.
Sure, they could release a new version with the bug fixed, but the attacker doesn't have to use the new version, they can deliberately use the old flawed version in their modified version of the bios.
Hopefully this is true. Though we really don't know what all the components in the Intel ME can do. They might be able to remotely update all chips so long as they have connected to a network that still exists. But I think (hope) this is unlikely and you are right.
Sure, they could release a new version with the bug fixed, but the attacker doesn't have to use the new version, they can deliberately use the old flawed version in their modified version of the bios.