You can estimate Security as the inverse of the Probability of Attack.

S=1/P(A)

Firmware upgrades are always (99.99% of the time) performed on non-hostile environments (or at least behind a firewall and/or NAT device), then the TFTP firmware upgrade security is very good even when the protocol itself lacks of security features.

From RFC 7440 - TFTP Windowsize Option

Security Considerations

TFTP includes no login or access control mechanisms.  Care must be
taken when using TFTP for file transfers where authentication, access
control, confidentiality, or integrity checking are needed.  Note
that those security services could be supplied above or below the
layer at which TFTP runs.  Care must also be taken in the rights
granted to a TFTP server process so as not to violate the security of
the server's file system.  TFTP is often installed with controls such
that only files that have public read access are available via TFTP.
Also listing, deleting, renaming, and writing files via TFTP are
typically disallowed.  TFTP file transfers are NOT RECOMMENDED where
the inherent protocol limitations could raise insurmountable
liability concerns.

TFTP includes no protection against an on-path attacker; care must be
taken in controlling windowsize values according to data sender, data
receiver, and network environment capabilities.  TFTP service is
frequently associated with bootstrap and initial provisioning
activities; servers in such an environment are in a position to
impose device or network specific throughput limitations as
appropriate.

Also most of the firmware updates today use some sort of image integrity check before really flashing the binary.

The use of TFTP is classical because it is a very simple, easy to implement, protocol with a very small memory footprint.

TFTP It is also a key component on PXE network boot where the NICs use it for retrieving the NBPs and early boot components,