if you want to security, I think a generic boot loader isn't really a realistic target. A boot loader should be specific to the hardware. If you want a generic boot loader, you need to integrate perfected boot loaders for each hardware.
downvotes and no replies but I know I'm correct. buffer overflows and reproducibility in builds is only the smell of a secure bootloader, real secure bootloading is not going to happen in Grub2 without a total rewrite and a boot system that's built to be correct FIRST instead of recoverable for bad states with internal logging and exception handling.