In a T2 based Mac, the T2 processor "comes up" before the Intel CPU is even powered. The T2 takes over portions of power management (previously the SMC), firmware storage ane loading, etc. The T2 processor is based on the iPhone 7's A10 processor and has like an iPhone DFU mode, which allows the processor to boot entirely from SecureROM to receive fresh firmware in cases of corruption. Now the checkm8 vulnerability is a flaw in how the SecureROM handles USB URBs. This flaw allows for one to upload and execute arbitrary code at the SecureROM stage. As an iOS-based device boots up, it validates the next stage and subsequently locks down portions of the surface area. This means that because you have executed at the lowest level you are able to 1) load any next stage code you'd like, such as a patched iOS kernel, 2) access low-level services such as the SEP's UID / GID key (crucial to FileVault 2). Remember, that all of this occurs before the Intel x86 processor is even powered on. The "microcode" is a patching system for the x86 CPU and is usually provided by the early Intel boot process, like EFI. T2 Macs, the EFI itself is actually provided BY THE T2, meaning that a jailbroken T2 can even provide old microcode and reintroduce meltdown...
In order to fix the bug, Apple would have had to burn in a revised SecureROM. They could have done this as every device they ship (iPhone X, XS, 11) gets a new GID key and SecureROM. For some reason that escapes me, the SecureROM and GID key is identical to the newest Mac's like the Pro as it was on the original T2 based iMac Pro from 2016. Frankly, there's no way to fix this without one of two things happening:
1) Buying a new T3 based Mac
2) Apple creating a "revised T2 / logic board" for affected computers.
