Same issue as replacing BIOS on a PC. It's a serious issue that companies need to take more seriously. NVIDIA recently changed their graphics cards so only signed firmware can be used on their cards, previous to this it was possible to flash the cards with malware which would have direct memory access and that issue affects both PC's and Macs. Same situation with RAID cards, some Sound Cards, some Network cards.
For the very sophisticated attacker (state sponsored especially) there are literally handfuls of nonsecure BIOS/Firmware chips to store your malware where antiviruses simply don't check.
Which reminds me, due to the threat from this NVIDIA has written a memory dumper for their cards so that researchers can investigate the possibility of malware being loaded in to their GPU's memory. It's a Linux only tool right now.