Many of the more technically advanced governments create and/or buy malware which is able to persist in places other than just your hard drive and BIOS.
As it seems you're new to the idea, look into APTs for a general understanding of how persistent threats can be useful when they're embedded into a target:
The mechanisms for persisting outside of HDD/SSD data areas and the BIOS can vary. There are a lot of support chips in computers and peripherals. For example, Intels AMT (supposed to secure PCs) has been shown by researchers to be a useful place to put malware.
Snowden revealed that the government is capable of planting malware in peripheral firmware. So you can have a hacked bios/EFI, system controller, security chip, hard drive, SSD, GPU, WiFi/networking card/chip that is virtually impossible to detect from the main OS.
Maybe they put a keylogging device between the keyboard ribbon cable and the motherboard? Say this device exfiltrates keypresses via a radio and a government agency, knowing where you work or live, can then pick up the data wirelessly.
It’s a bit sci-fi, but well within the resources of any of these governments.
If the bios is corrupt it can corrupt the OS. So that the OS does not really flash it. Or there might be a hardware exploit that makes it look like the bios is being flashed while keeping the corruption or one that injects the corruption after each bios flash. In general if the HW has been modified it would be really hard to detect the exploit.
But if a super sophisticated approach is used, they could just as well catch and prepare your computer before you receive it i.e. if you ordered it by mail.
