Basically, all BMCs have to be assumed to be insecure. This article details the incompetence of vendors and standards to keep these systems reasonably secure.
For the high prices we pay for these products its fair to expect that vendors have built safe, secure products. But most assuredly, no server vendor is doing that with respect to BMC.
In addition to our research, multiple teams have discovered vulnerabilities in other BMCs, such as the recent HPE iLO4 Authentication Bypass and RCE publication and the The Unbearable Lightness of BMC’s talk at Black Hat. Even back in 2013, Dan Farmer and HD Moore (penetration tester’s guide, Supermicro IPMI) published about serious BMC vulnerabilities. Given the inherent privilege of the BMC in server architecture, a compromised BMC amounts to a significant compromise of the system.