I just was given a pair of these headphones yesterday that had firmware 2.5.1. Unfortunately I allowed my phone to update the firmware on it. It was while it was updating that I decided to manually grab some other firmwares because I like to have a library of them for each updatable device I own. I was horrified to find out about this issue, and even more horrified to find out that Bose doesn't release standalone firmwares or even "allow" reverting.
I dodged a bullet, I think, in that for some reason my phone didn't update my QC II's firmware to 4.x, but only to 3.1.8. I don't know why this happened, but I will now be halting all further updates.
To Bose and the public at large: The question of whether or not the new firmware causes a performance degradation is actually red herring. The real issue is whether or not a hardware manufacturer can or should retain control over what released firmwares are "allowed" on customer-owned devices. The reasons you give for not "allowing" reversion (I'm not calling it a downgrade because this is a qualitative and unproven description) are both specious and likely disingenuous. The latter first: the real reason is that you have likely made contracts with third parties like Google and Amazon with promises of functionality you will include which involves them paying you. Which of course puts your contracts with them at odds with the best interests of your customers. It's better if you just own this and take your lumps.
Now, as to why the reasons you give are specious. The given reasons were security and interoperability. Security: if there is a security issue with previous firmware versions, then the proper and responsible way to address this is to release a security vulnerability report. I see none issued, and there are presumably many people (especially now) with older firmware versions who, if there really are security concerns, are now vulnerable. Vulnerability reports identify the vulnerability and allow people to make informed decisions on upgrading based on the identified threat. Since you have made no effort at releasing this, then there are only two conclusions, and that is you are either being irresponsible, or that there really are no security concerns to speak of. Interoperability has the same reasoning as above. If there really are inter-firmware interoperability issues, then the proper way forward is to specifically identify each of those issues and identify the firmware version in which each one is remedied so people can intelligently decide whether or not a firmware update is justified.
It is literally astonishing Bose has not adopted this kind of model, especially in light of the enormous amount of bad publicity this has generated. This issue would literally go away over night if people could decide which firmware they wanted. It is clear that Bose wants to maintain control over headphones that people have purchased and rightfully own. This is why they can't countenance that. That and the fact that downloadable firmwares would also make back-and-forth testing much easier to do. If Bose really wants to be transparent, "trust us, our investigation says the firmware isn't to blame" is not the way to do it. If Bose wants to be transparent they release that audio quality report and then say "but here are versions 2.5.1, 3.1.8, and every other major release firmware, see and hear for yourself, but once you realize the quality is the same, please upgrade to get the latest security patches, oh, and these are the security fixes addressed in each version".
Pushing firmware updates with no means of reversion is irresponsible on its face, and it only promotes people fighting the update process. Companies who are genuinely interested in interoperability and who have the best interests of their customers (and not side-channel deals with other companies) truly at heart and who are truly interested in real security provide open reversion processes so that people can update their firmware secure in the knowledge that they can revert any time if there is a problem.
Trust is a hard thing to earn back. I for one am glad I personally spent no money on these headphones, and you can rest assured that until Bose adopts a model that is more in line with best practices, I for one will never spend a cent on Bose. Further, I publicly admonish everyone else not to spend money on Bose either and to write Bose to tell them they have lost a future customer. We own our headphones, not Bose. Not Google or Amazon or whomever else has paid Bose for one-button access to our property.
(Edited for clarity)