Isn't the solution for Apple to have the phone also sign the firmware update so that the user has to enter their passcode to accept the update and sign the signature of their key.
If the firmware isn't signed by both keys (the users public key being stored in the secure enclave) then the phone should refuse to boot.
That way even if Apple is compelled to sign a rogue firmware, it still requires the user must also be compelled to accept it.
In the specific case of the Error 53 problem I don't see a problem. In the case fingerprint sensor has been replaced with a non standard version I really want to the phone not to boot because there is a fair chance its been compromised.
(That said I think Apple's handling of the issue was terrible and it should have given a much more specific error and Apple should have been much less douchebaggy about replacing the sensor with an official version)
That error was factory test error code -- it was never meant for end users. It was a bug, that's all. Any other kind of bug could exist that prevents a device from booting (like the recent Jan 1 1970 issue).
If the firmware isn't signed by both keys (the users public key being stored in the secure enclave) then the phone should refuse to boot.
That way even if Apple is compelled to sign a rogue firmware, it still requires the user must also be compelled to accept it.