Either the bad guys can run code as root on my machine or they don't.
If they don't, then my boot is already 100% secure because they can't change the boot sector of my disk, the bootloader configuration, the initrd, the kernel or the init scripts.
If they DO have root access, it's because they've found some remote exploit (I keep all my distros up-to-date with security updates, but zero-days are still possible) because I for sure didn't give them a legitimate account on my machine, much less physical access to it.
And if they have found a successful remote exploit, everything I do at boot is pointless, they'll still have full control of my machine. And that INCLUDES the possibility of preventing any security update from being successful while still giving to me the appearance of a completely updated and secure system unless I pay *very* close attention.
There's a reason why a compromised system must never be just *fixed*, it must be rebuilt from a clean install.
Look, the root of the problem is: the boot process must not be modifiable without the consent of the device's owner but must also easy to change for the owner if they want to.
The current boot process does achieve both these goals, UEFI "secure" boot doesn't.