I think we frankly don't know how much of a problem it is, yet. Since there's no widely applicable remote exploit for it, as far as the mainstream is concerned, all we're left to do is speculate on the risk. If someone operates a server, it's best practice not to have any extra services running on top of what's needed to run the original service. This is because every extra open port, software or complexity increases the attack surface. Same with Intel ME, people don't understand why it needs to be there, if nobody seems to even use it.
Preinstalls are not hyperbole though, there were some nasty stuff over the years. Lenovo, for one, bundled Superfish, which man-in-the-middled all HTTPS browser communication[0]. Similar effort from Dell[1].
I think ME's situation is similar to Stallman's attitude toward proprietary software. Proprietary is not evil by itself, but it's very easy to corrupt it to be so, and then the end user is powerless. And because the end user can't decide when this change happens, they are powerless to begin with. Therefore the thing shouldn't exist in the first place.
Preinstalls are not hyperbole though, there were some nasty stuff over the years. Lenovo, for one, bundled Superfish, which man-in-the-middled all HTTPS browser communication[0]. Similar effort from Dell[1].
I think ME's situation is similar to Stallman's attitude toward proprietary software. Proprietary is not evil by itself, but it's very easy to corrupt it to be so, and then the end user is powerless. And because the end user can't decide when this change happens, they are powerless to begin with. Therefore the thing shouldn't exist in the first place.
[0] https://en.wikipedia.org/wiki/Superfish#Lenovo_security_inci...
[1] https://en.wikipedia.org/wiki/Dell#Self-signed_root_certific...