> But that requirement prevents a hardware vendor from doing something like saying "I'll only boot a signed/verified root filesystem" or "The rootfs is read-only to everything except signed OS updates".

Only if you don't allow the user to decide which signing keys to trust. So GPLv3 doesn't prevent you from improving security, only from bossing around your users.