They aren't always small: a Radeon UVD firmware file is 100+ kilobytes, an Intel wifi firmware file is bigger than half a megabyte (bigger than a recent TeX binary, an old example of big and complex software).
We have some knowledge of what the hardware can do, for example PCI network cards can access RAM and network, see e.g. http://esec-lab.sogeti.com/post/2010/11/21/Presentation-at-Hack.lu-:-Reversing-the-Broacom-NetExtreme-s-firmware (it has firmware on chip, not provided by the kernel). It's not easy to reliably determine that the firmware doesn't e.g. send passwords from memory to the vendor or if its updates add such features (it's a reason for the FSF to support devices with firmware in ROM).
pgptmHeqKpgyJ.pgp
Description: PGP signature
