It is my understanding that due to the structure of modern web browsers it is by design that they execute arbitrary code from various sources, be it plugins or updates or whatever, and due to the microcode issue any flaw in any of those was equivalent to a full system compromise at the firmware level and could persist across a wipe/reimage of the machine. My management was not comfortable accepting that risk.