If they’re properly locked down the option to boot another from another device or even the recovery drive will be locked behind a password. It’s like it’s been bios locked on a PC but rather than being stored with a battery it’s saved into the physical chip which would need to be removed and either replaced or reflashed.
And that’s just fine. They don’t need to have an expensive release event for every point upgrade.