there is actually a proper reason for why you don’t want firmware rewritable. If someone does steal the key they can rewrite it. This is something I’ve discussed with colleagues even for Tillitis T-Key
Vulnerabilities will always be found in any piece of hardware given enough time, and this recent one requires about $11K in hardware and tons of cryptographic knowledge and electrical engineering knowledge.
Yubico addressed it by creating their own crypto library