Name a single prevented bootkit that wasn't able to avoid the encryption and signature verification toolchain altogether.

Malware developers know how to avoid this facade of an unlocked door.

Users do not.

That's the problem. It's not about development, it's about user experience. Most users are afraid to open any Terminal window, let alone aren't even capable of typing a command in there.

If you argue about good intent from Microsoft here, think again. It's been 12 years since Stuxnet, and the malware samples still work today. Ask yourself why, if the reason isn't utter incompetence on Microsoft's part. It was never about securing the boot process, otherwise this would've been fixed within a day back in 2013.

Pretty much all other bootkits also still work btw, it's not a singled out example. It's the norm of MS not giving a damn about it.