In order for malware to exploit this method of infection in a more general fashion, surely there are some pretty hefty technical obstacles to overcome? How would an adversary target a machine with unknown hardware / unknown bios / unknown OS.
This embedded hardware is much more common and standardized than you might think. Pretty much all PCs use the same USB host chips. And for a given peripheral there's usually only a handful of chips running similar architectures available on the market. The BIOS/EFI firmware has standard extension interfaces that all vendors support and the malware would hook into to load itself.
Of course there's still a lot of engineering work that needs to be done to create such a virus, enough to put it in the category of almost-certainly-state-sponsored. But once it is isolated in the lab, it's a relatively small operation to dissect and re-purpose its various components to an existing bitcoin wallet seeking malware, for example.