If you've never used the BMC on a server... it is all 100% garbage. Software mostly written by embedded folks who haven't got a clue. It is absolutely garbage software on the whole (and no matter what vendor you get the board from). Go ahead and hit up the web interface then do a bit of "View Source". If you are imagining the rest of that stack is any better than my friend have I got a Beautiful Bridge in Brooklyn to sell you!
If it were me I'd assume the majority of BMC firmware out there from all vendors:
1. Is full of many many exploitable vulnerabilities
2. To the extent they patch holes it will be whack-a-mole because the economics do not permit large investments in software quality.
3. Many server owners will never install a patch anyway.
BMC software quality is low but what's the alternative? Without BMC it is more expensive to manage a fleet of servers. In a better word hardware vendors will publish specs to allow open-source BMC firmware but for some reason they resist this idea. Having only insecure BMC available a semi-separate management network (connected via a bastion host or a VPN) provides balance between cost and security.
This won't scale. Dedicated KVM needs you as an admin walking to the server, reswitching cables, walking back to the KVM console. Instead, with Out of band managament hw/sw, you spawn a dedicated ethernet and can access it from anywhere. It is a flexibility advantage on the costs of security.
There are boxes that can KVM to multiple servers at a time. You don't need to switch cables. They probably cost similar or less than BMC cards on a per-port basis. You might have to combine with some sort of network boot to set up a machine from scratch.
> They probably cost similar or less than BMC cards on a per-port basis
If you build own servers that's an option to consider but most off-the-shelf servers are sold with BMC (so you pay for it even if don't want it). May be some low end brands sell servers without BMC but if you are looking for relatively reliable hardware you'll likely get a server with BMC.
I was thinking more like just having one IP KVM per server always hooked up to a dedicated management network, basically used exactly like a BMC just with better software.
There is the open source OpenBMC software nowaydays, which is pretty good.
Unfortunately, Supermicro doesn't use it yet for most of their servers. Probably because they sell an extremely expansive license for their own software so you can use the Redfish API.
The one vendor mentioned in the comments, AMI, is switching this code base to openbmc. Also it should be noted that often this software is system specific.
If it were me I'd assume the majority of BMC firmware out there from all vendors: 1. Is full of many many exploitable vulnerabilities 2. To the extent they patch holes it will be whack-a-mole because the economics do not permit large investments in software quality. 3. Many server owners will never install a patch anyway.