Block layer or filesystem driver vulnerabilities would be even better – no special hardware needed. Just buy a load of cheap flash drives, copy over your malicious partition table or filesystem, and you're set.

that seems a little optimistic, I figure there must be some moderately obscure device drivers that get much less scrutiny.

I suspect a lot of machines still have old floppy disk drivers...