I mean, broken in ways other than it requires a signed UEFI boot manager that must confirm trust, by a hash or certificate, before loading any UEFI and/or OS boot code. I agree that it was initially frustrating that only Microsoft could create a secure boot manager, but the most recent efforts to allow loading of other OSes from an independent secure-boot manager solves much of the problem.

When a signed independent boot manager UEFI app is installed onto a machine running in SecureBoot mode, it will be able to hash or validate certificates for any OS code to be booted. It requires human intervention to modify the hash or certificate of code they want to allow to boot securely, and I don't see an easy way for a virus writer to bypass this. (Yes, if a virus is embedded in code before it is hashed or signed, then it will be loaded along with the OS, but this is a vulnerability in any environment, not just SecureBoot.

PC-OEMs are just now releasing updates to their UEFI BIOS that are way less buggy than the initial stuff that came out on Win8-compatible hardware. I believe that we're also very close to having an independent boot manager signed by Microsoft that can then maintain a secure list of hash/certificates for OSes it will allow to boot. If the booted OS doesn't continue to make use of the TPM to measure all code before executing it, the resulting security failures are a result of that OS, not of the SecureBoot mechanism itself.

However, I do hear that Microsoft has been very arrogant in dealing with the attempts to get such an independent BootManger signed -- but that's a common problem when dealing with Microsoft to get anything from them that doesn't positively impact their bottom line. Come on Microsoft -- sign the damn bootmanager code and put an end to this bad publicity you have invited..