Garrett: Secure Boot and Restricted Boot

That is one opinion, but the kernel and userspace will never be any better or more secure than they are today and some people aren't willing to just throw up their hands and accept insecurity as the normal state of affairs without trying to do something about it. What you describe is correct, an exploit can be driven from config read during early boot, or attacker supplied code that exploits the system but the attack surface of config parsers is fairly small and well defined while the point where attacker supplied code can be run can be pushed later and later in the boot process via nested signature checking. Even in the case of an thoroughly compromised system the update process can be blocked but not modified so that the holes can be closed as they are found, leaving a working system which can be more reliably cleaned. Secure Boot gives you a small beachhead with which you have the opportunity to retake control of your system from a remote attacker, nothing more.