Part of the reason for secure boot is to stop somebody from having persistent root by installing a compromised kernel. On reboot, the firmware will detect the change.

To allow for user freedom, you need to allow change of keys and/or BIOS. If you allow this to be done in software, a remote attacker can simply change this and get persistent rootkit, defeating the purpose.

Therefore, to balance the two goals, you make sure that disabling write protect cannot be done in software and needs to be a hardware option. Also not an option a normal user can be socially-engineered into carrying out (e.g. insert SDcard, wait while hacker loads exploit onto it, and leave SDcard in to be used a 'custom firmware' as suggested by a poster above).

This is the reason why the write-protection involves opening up the case and flipping a jumper and so on. It is not something a user would normally do.

If you are so bad that you can't find this jumper, Google have put a website which shows how to dismantle and where this jumper is.

Since some are so uneducated about this, maybe they should read the security design document.

Personally, I also find the CTRL-D annoying, which is why I will flash my firmware to remove this.