Processor Microcode Updates
One recent example of a firmware vulnerability is the processor microcode update for modern chips to address speculative [archive] execution flaws [archive]. The Debian package [archive] is non-free software, therefore only available in the Debian nonfree repository, meaning it is not installed by default in all Whonix variants.   Whonix recommends to avoid nonfree software but in this case idealism would result in insecurity.
It is unnecessary to apply these updates in standard Non-Qubes-Whonix ™ and Qubes-Whonix ™ guest VMs, as they do not have the ability to alter the microcode. However, processor microcode updates should always be applied on the host operating system (for processors by Intel or AMD)  and baremetal configurations like Physical Isolation. 
Microcode Package Check
In the following checks, the package is not installed if there is no output.
To check whether the microcode package is installed.
On the host. Run.
dpkg -l | grep microcode
In dom0. Run.
dnf list | grep microcode
The Qubes check should confirm the
microcode_ctl.x86_64 package is already installed. 
Install Microcode Package
sudo spectre-meltdown-checker --paranoid ; echo $?
- Relevant Debian packages for processor microcode: Intel [archive] and amd64 [archive].
- Installing these updates by default would require the Debian nonfree repository, and logically also make Whonix images nonfree.
- ARM is less affected than Intel architecture.
- See: https://forums.whonix.org/t/whonix-vulerable-due-to-missing-processor-microcode-packages/5739 [archive]
- This package is installed by default in Qubes to automatically protect users against hardware threats.