Agreed on a stand-alone basis, but couple that with client certificate based auth and all client certificates being the same worldwide, and it makes the UART a convenient step in the chain of attack. (Agree that the problem isn’t the UART pads though.)
Actually, considerably less.