UEFI technology came together with Secure Boot and was mostly initiated and implemented by M$ with all new OEM Win 8 computers in 2012. It replaced Legacy BIOS technology.
Legacy BIOS technology was based on an open platform and it is left to the users how to secure their BIOS, eg by setting a BIOS password. Computer dummies may ignorantly install infected bootable software from the Web, similar to computer dummies getting their OS infected by ignorantly clicking email attachments, downloading infected torrent files, visiting infected <violates forum rules>-sites, etc. There is no technology cure for 'stupid', eg Win 10 S or Secure Boot/UEFI or Windows Anti-virus programs, etc, cannot stop computer dummies from doing stupid things on the Web.
... I think UEFI/Secure Boot is just FUD for M$ to lock-down their desktop OS world marketshare by preventing or making it difficult for competing OS(especially Linux) to be self-installed by competent users.
No doubt, Legacy BIOS technology is lacking, eg limited to a tiny 16bit MBR Boot Partition, 4 Primary partitions and 2TB in disk size. The new UEFI technology is an improvement. But the way that UEFI and Secure Boot were implemented in 2012 smacked of securing world marketshare for M$ and certain OEMs(eg Intel).
Secure Boot requires a bootloader to be signed by M$'s Verisign before it can be installed and the certificate signing service costs about US$100 per year. Ubuntu, Fedora, LM, etc had to pay to get their EFI bootloaders signed or approved, supposedly as secure non-malware. Minor Linux distros who could not afford to pay this yearly signing fee to M$'s Verisign require Secure Boot to be disabled before their bootloaders can be installed.
Initially in 2012, M$ wanted Secure Boot to be permanently enabled on new OEM Windows computers but they backed down after much opposition from the tech industry and users. Certain Surface devices from M$ have Secure Boot permanently enabled, eg ARM-based Surface RT. M$ will soon be introducing ARM-based Win 10 Surface devices. Will Secure Boot in such devices be permanently enabled.?
With the 2015-released Win 10, M$ told the OEMs that it is up to their discretion whether they want to have Secure Boot permanently enabled. Seems, a few of the OEMs are trying to make Secure Boot permanently enabled for their new 2017 computers by not allowing non-Windows EFI bootloaders to be installed. After much complaints from consumers, the OEMs issued BIOS firmware updates to allow the booting of non-Windows EFI bootloaders.
Certain high-end OEM Win 8.x/10 computers, eg Acer, Asus and HP, have an obstructive or pro-M$ BIOS setting for "select an UEFI file as trusted for executing", ...
https://itsfoss.com/no-bootable-device-found-ubuntu/ and
[ viewtopic.php?t=236560 ]
... The above latest(= 2017) OEM laptops, eg Acer E and S series, may have even removed this BIOS setting(= "No bootable device" after installing Linux and cannot be fixed), but may be restored by a new BIOS firmware update from the OEMs...
[ viewtopic.php?f=46&t=254948 ]
Most Surface devices already have UEFI permanently enabled, ie cannot use Legacy BIOS mode for OS installation, purportedly required because of the Connected Standby feature for mobile devices. So, beware.
Installing an OS in Legacy BIOS mode is much simpler than in UEFI mode, eg when reinstalling Windows in a dual-boot system = need to reinstall Grub or grub-efi-amd64.
So, the likely endgame for M$ and Intel is to abolish Legacy BIOS mode and have Secure Boot permanently enabled, so as to be able to permanently impose their Wintel oligopoly.
