Does malware which infects the BIOS/ Firmware always need 'root' access to do so?

There are very few hardend Operating Systems who restrict or totally disable Terminal 'root' access for the user.

(1) Would this feature prevent persistant BIOS rootkits from writing into BIOS or infecting other firmware on the machine? Whats the security margin of this feature?

(2) Considering above attack vectors, would it make a difference either totally disabling root access (hardcoded) or just use a strong root password? Whats safer?

(3) Could there be exploits which allow malware to write to BIOS without root at all?