I've definitely seen Windows update push firmware updates but that was on a Surface so not sure if it's a first-party only thing or if any OEM can use that channel.
Does your aunt know how to apply bios updates? And that's assuming such updates are available at all. I searched up various Z170 (released mid 2015) chipset motherboards, and the bios updates seem to end around early-mid 2018. That works out to around 3 years of patches. It's therefore reasonable to assume that if any exploit was discovered today, any systems 3+ year old are sitting ducks.
Are we talking about the same thing here? Microcode updates might be delivered through windows update but is ME updates delivered through that? Or is it through bios updates?
My aunt probably isn't running a corporate machine that would HAVE the IME in it. It's a business-oriented feature that is part of the chipset, not the CPU.