I can barely see the point to BIOS passwords. They are slightly useful if you don’t want guests using a machine for some reason. If you don’t have a bios pw, the OS login is good enough unless you need to stop them booting their own media. All desktops are rightfully easy to clear the bios. There are jumpers specifically for this purpose, apart from also just popping out the cr3202 battery or unseating the bios chip (old models). The bios pw does not (and should not) protect from data access at the hands of someone who can open box.
The only failure I see here is the fact that Lenovo tried to make the bios unclearable in the first place, thus increasing e-waste. That’s the real story. The security fail is nothing interesting.. it’s the attempt of ecocide that should have the focus.