Or two physical firmware chips: one writable, one with no write ability and is a fallback. Then a physical switch, could even be a jumper, to select the fallback. If compromised you flip the switch, boot from the clean firmware, flash the writable chip, flip switch and reboot. I am pretty sure Gigabyte offered this same setup with Dual Bios or something like that.
Gigabyte made a lot of marketing hay about it, but I think it was popular for a while. I think their version was some sort of watchdog/failover model where it would automatically load the backup BIOS, but some other firms had a secondary-BIOS jumper.
I think these days, the stub "BIOS flashback" is the trendy thing, where you can plug a flash drive into a magic slot and press a button to flash without even having a CPU installed.
This offered the same "brick-resistance" feature with the added benefit that people weren't stuck if they tried to pair an old-stock mainboard with a new CPU that wasn't supported by the original firmware release.
TBH, I'd rather they go the complete opposite direction: replace the soldered EPROM with a SD slot and a $1 MCU that reads the card and emulates a ROM chip. That could be configurable to write-protect the card, or you could just trivially swap it if you didn't trust the firmware image for any reason, while avoiding the fumbliness of modern tiny 8-pin flash chips. You could socket a big old-fashioned DIP ROM, but will people feel comfortable even trying to pry that out of a $10,000 server even with the appropriate chip puller tool?
