When you think it is so simple to attack a system with microcode try it yourself. You find microsims which allow you to create your own opcodes. Thats what you do for training when you study computer science. asm is easy compared to that when you want to do some complex things. It is very unlikely that you want to write real attack code when you dont want that the system just crashes. you could maybe override a random value generater with a fixed value (only newer cpus can do that) to get a fixed seed for a cypher (if it would be the one and only source of it). even if you could change opcodes, what would you change? Thats what is done with those updates, not more, not less. I do not feel a security risk when i can not look at the code what those do. The cpu itself is a blackbox as well, you have to assue that it works as expected.

This has got really nothing to do with opensource. If you create your own cpu then you have to worry about it maybe, but thats something a casual user does not do. I am pretty sure you are not clever enough to develop your own processor design...