Limit, but it doesn't remove all avenues of attack. Firmware config needs to be writable at runtime (things like cold boot attack protection require state to persist over power cycles, even if you don't think other firmware config should be modifiable without physical presence), and the code that parses that could still contain vulnerabilities. Making firmware mostly read-only would mitigate certain classes of attack, but not all of them.
I'm responding to "There, fixed all the BIOS and firmware exploits for you". It doesn't actually fix all the potential exploits, and it makes it more difficult to apply the updates that would be required to fix them.
