They can't distribute firmware blobs simply because FSF and GNU do not in principle participate in distribution of any non-free programs.
Also consider that if a manufacturer can distribute opaque firmware updates to your system, it practically has remote control over it, ะต.g. Intel can activate a backdoor in specific CPUs when needed by publishing a microcode update.
What is more risky to you: Leaving known vulnerabilities such as spectre unpatched or the possibility of Intel adding a backdoor for some unknown purpose that wasn't present in the shipped hardware?
The former is more risky from the security point of view. The latter is more risky from the freedom point of view. (And, while an FSF supporter, I choose to be more secure.)
Vulnerabilities such as spectre are only relevant if you run untrusted non-free software. Also these vulnerabilities show that sandboxing is not effective on current CPUs, and specific mitigations does not solve the problem in general.
Also consider that if a manufacturer can distribute opaque firmware updates to your system, it practically has remote control over it, ะต.g. Intel can activate a backdoor in specific CPUs when needed by publishing a microcode update.