>unless they hard-wire a different certificate into each and every chip (which would mean that every chip was really unique), the certificate is stored somewhere. Wherever it's stored can be read and written to.
TPMs are designed to be written exactly one time (during manufacture). After that the certificate part is read-only. That's quite easy to do electronically, so I don't think TPM designers are lame enough to leave a hole like this.
>it has to be modifiable or if there is a problem on the signing side the vendor has no ability to update the system to accept a new signing key.
TPMs can't be updated. If there's a problem that requires for the master certificate to be replaced, you're screwed.