Seen devices with IPMI that had by design unauthenticated admin login to the IPMI from the host side that was not removable.
They also could flash IPMI firmware from the host.
So if your server with such an IPMI is infected you can't trust reimaging it via IPMI because that can be hijacked as well.
I would consider that mostly a feature. The situation where that is useful (you somehow lost the credentials for BMC, but have root access to the host) is in my experience significantly more common (I see that multiple times in a year) than attacker implanting stuff into the BMC firmware (never seen that).
Obviously if you rent out whole physical machines and automate the provisioning by IPMI, then the last thing you want is the customer having admin access to the BMC.
Dell iDRAC has an interesting feature that allows you to make all of the BMC configuration read-only which can only be disabled by factory resetting the iDRAC by means of physical (and IIRC not exactly documented) switch on the BMC board. (Well, it is still _i_DRAC as in “integrated”, but on current higher-end PowerEdges the iDRAC is separate OCP-like card, but well, the system does not work without it)
