All it takes to install a (BIOS) rootkit is root access ... In windows this means answering Yes on the question "Do you want to allow the following program to make changes to your computer".
If your system firmware has already been compromised, you cannot trust that reflashing it will bring it back to a good state. Flashing relies on assistance from the existing system firmware on modern machines.
You would have to open the machine, desolder the flash chips and re-write them in a flash programmer to get a clean slate. Or, if your adversary is very high-level, just throw the machine away, since you'll never be able to find all the places one could hide persistent malware in hardware.
Once you lose physical control of a machine, it's game over if you are concerned about hardware/firmware attacks.
Are they detached and non-writable while the primary ROM is active? I have consistently used Gigabyte boards for a decade because of the extra features that come with them, Backup BIOS being a key one — in the old days I would have to flip a jumper on the board to make the system boot from the backup, today the secondary ROM gets automatically enabled if the primary one fails to load.
I wouldn't trust the secondary flash ROM on my motherboard to protect me from APT, it's only purpose is to recover from a failed flash.
Remember to flash the BIOS if you've been hacked!