A bit beyond my reading level for ATA/ATAPI and firmware updates on these devices, but from extensive conversations with our friends over at Progressive Technology (not an affiliate link!), the state of firmware security for storage devices is pretty bad. Following the historic firmware pattern – devices are often shipped with updataABLE firmware, meaning it can be supplanted by malware, but seldom/never receive firmware updates, nor does the manufacturer expect to supply firmware updates. Let alone via any sort of automated mechanism, like LVFS or Windows Update.
This sounds like progress, and progress is good.