While I in general agree to the sentiment, but microcode is starting to get touchy 
So in general speaking a kind of red line is where the binary actually gets executed. Does it get executed by some MCU on some peripheral? Or does it get executed by the main CPU that is also running the OS? The latter for me is pretty much unacceptable since this can have severe security implications. Some $mystery code could do anything, in general I can not review and audit it (of course to some extend one could by disassembling etc.). So we do not want mystery code running on the main CPU - even if separated, containered, compartementalized or whatever - it is a security risk as soon as it touches the main CPU.
For stuff like a WiFi card etc. this is not a big deal, there the main CPU is just pushing the data through from the filesystem to the WiFi card (or other peripheral) and is done. Code does not get executed on the main CPU, all shiny.
But microcode? While it does executed in itself on the main CPU it can have severe consequences for everything else that gets executed on that CPU. So here my red line becomes pretty blurry already. For this microcode we need to trust CPU manufacturers that it does not compromise the system and that it is 100% definitely authentic and can not be tempered with. I have not looked much into this yet, if this can be assured.
But yes, also microcode updates can be very much necessary! And so far we have been putting these into Coreboot updates instead of the OS, because we also can not ship these with PureOS without loosing the FSF endorsement.
Cheers
nicole