I can see someone taking advantage of that under the assumption you can get the machine to update while it's powered on (and already unlocked)... but hopefully that's not what they're calling "TPM+PIN is vulnerable too".