Once you can use microcode updates to correct or change an instruction within a CPU, you have a large security hole. How do you insure that the microcode update is authentic? You could have the operating system compare a hash of the update to a value stored in a website, but that requires on-line access.
You could insist that the TPM have a storage area into which you can save the microcode update, or the microcode signature. Then you have to transfer the responsibility of CPU update to the Motherboard bios.
Here again, if you can defeat the motherboard bios, you are back to my initial preposition -- microcode updates are a giant hole into which you can pour insecurity and introduce new instructions--new instructions which can be used to leak information.