The firmware could be locked down, but doing so is inconvenient for the manufacturers.
For example, I believe that the firmware flashing allows for easy configuration of the USB storage size, so there's no need to hard-code values in the hardware. As a result, you can easily re-use components and repurpose them as needed.
It might also be used for mapping out bad sectors during device testing? That way you can stuff low quality flash storage into a USB stick and then blank out the bad parts during testing. This could be more difficult to do if the firmware isn't easily updateable.
It could still be locked out before being sent to market as a final step, something like an internal fuse in an EPROM being blown in such a way that the only way to re-access the "manufacturer" bits would be to get a new chip.
Tricky part is finding a bug in the firmware after release. If locked out, then can't update the stuff in the warehouses. Would need to scrap all parts in inventory, potentially costing hundreds if not thousands of dollars.
The logical thing to do, then, is making the firmware unaccesible once it's been used by the final user. Adding a fuse that breaks once the 5V from the user computer are sensed for the first time, for example.
How do you define "user computer"? We run a bazillion tests on our stuff during manufacturing. Stuff is plugged in/out of Windows boxes over and over on the manufacturing line.
It's hard to tell where that "last step" might be. Boxing? Shrink wrapping? Delivery to Amazon's warehouses?
Our ASICs have efuses to disable insecure firmware changes. (Need insecure fw updates during fw development.) During dev we wind up having to scrap parts because we blew the fuse prematurely.
For example, I believe that the firmware flashing allows for easy configuration of the USB storage size, so there's no need to hard-code values in the hardware. As a result, you can easily re-use components and repurpose them as needed.
It might also be used for mapping out bad sectors during device testing? That way you can stuff low quality flash storage into a USB stick and then blank out the bad parts during testing. This could be more difficult to do if the firmware isn't easily updateable.