i think it's fair to say people were not thinking their boot logo was a security risk. of all the obvious security issues to consider, i doubt the boot logo was on anyone's top 50 things to worry about.
All hardware depends on software which is written by humans, whom are not perfect, and even if they were, there are other reasons to do things.
It could just be cost cutting leading to missed flags or a rush to push out updates for other issues that misses other portions of the firmware.
I tend to lean towards these were intentionally left there. (CIA/NSA/9eyes/Etc.'s request/mandate)
Anyway, back to the issue of not assuming an image parser would cause this kind of havoc.
This won't be the first time an image parser has caused issues, it seems to be a common issue for web browsers so why not firmware? I think some people don't realize that an image file is more than just the image, especially certain formats that support extended features (animations). This requires more than just the ability to show the "image".
If you didn't code it yourself, and you haven't thoroughly tested it in every permutation it could ever be put under, then consider it unsafe.
There's way too many people interested in the actions of the rest of us that these things can't just be accidents. Am I too paranoid?