"I'd like clarity on who (MS or OEM) has responsibility for what in this update"

The best TL;DR I can give is this:

• UEFI is a specification, not a standard. UEFI allows some of these updates to be done, but the implementations of those specifications is going to differ from vendor to vendor. Not to mention, bugs exist.
• The KEK updates MUST be signed by each vendor's PK. MS doesn't have the PK, each OEM is sovereign over their PK.
  • Look up the secureboot_objects github repo for more.
  • Therefore, KEK updates take two to tango - OEM and Microsoft.
  • KEK updates rely on the firmware implementing the specs reliably.
  • As with all software, MS strongly recommends updating firmware to the latest version to ensure any bugs in the KEK updates are avoided.
• The DB and DBX updates (installing/removing the signing CAs) are signed by Microsoft's KEK.
  • Microsoft is the only dancer, but again, bugs can exist which might prevent reliable DB and DBX updates on each device.
  • DB/DBX updates rely on the firmware implementing the specs reliably.
  • As with all software, MS strongly recommends updating firmware to the latest version to ensure any bugs in the DB/DBX updates are avoided.
• The bootloaders are signed by Microsoft's CAs.
  • Microsoft is the only dancer.

Because bugs exist, MS gives admins a decent amount of control to roll things out at their own pace (except by default high confidence devices/buckets).

If you're running devices (including VM hardware) beyond it's reasonable/supported lifespan/lifecycle, then there's not much anyone is going to do for you. Upgrade.