So from my understanding, we still need an arm9 exploit to write the hax signed firmware, or maybe a hardmod.
But if we DO get a 11.3 exploit, then we won't need to ctrtransfer to 2.1 because sighax can get in while the OTP is readable.
But currently if we have a9lh in, we don't need sighax anyway.
From what i understand there's nothing preventing a complete firmware replacement with a9lh, because it still boots before firmware, which is how it lets you reflash a nand backup so easily and recover from soft bricks. it's just that no one has bothered yet.
So the reason you can't just hijack the update process is because the updater actually properly checks the signature and isn't fooled by the hax sign (you just plain lose, Nintendo).
(if i ever do get sighax on, i want it to display a splash screen that says
Hax Sign: Nintendo just plain loses
)