I think Microsoft made it mandatory to allow disabling secureboot because they wanted their older OSs to work, didn't want devices getting bricked when a vendor poorly implemented it, and didn't want to get hit with another anti-trust suit. not necessarily in that order.
>>throwa+(OP)
I've read that Surface ARM hardware had a secure boot that could not be disabled. This would make a lot sense; there was no legacy Windows for ARM to keep backwards compatibility for.