Having DFU in BootROM is good. Having "secure boot" with only the vendor keys in BootROM is evil.
Most of the time the root of trust isn't in the boot rom, but instead OTP fuses that the boot rom reads.
alt Hacker News
Most of the time the root of trust isn't in the boot rom, but instead OTP fuses that the boot rom reads.