That's a bit wrong. We do not need more than IOSU (installing a channel has nothing to do with boot-keys). In the large picture you are still right though, in that we cannot have it the same way, we had it on the Wii.
IOSU checks title IDs, signatures and whatnot, so with IOSU access we can disable signature checks and install a homebrew channel. The difference between the Wii and Wii U though, is that the Wii only checked the signatures of applications, when they were installed and not when they were ran. The Wii U does both.
Hence, we can have Homebrew Channels etc, but we would still need to run the exploit, before we can use it.
And yes, that is where boot0/1 enters the pictures. Boot0 would be fantastic to find a vulnerability for, as its the hardcoded bootROM (that loads boot1) in the ARM processor, and thus cannot be changed by Ninty (they would need a new hardware revision of the Wii U for that).
Boot1 would be fantastic too, as it's the job of boot1 to decrypt the ancast image that contains the ARM's OS (= IOSU), even though it can be changed by Ninty.
So yea, boot1 exploitation would mean that we can disable the signature checks in IOSU, already when we load it into memory. Don't count on it though. To be honest, I am really surprised already that we have gotten this far
IOSU is already better than the wet dream I had last week
(<-- sorry for that last line... Pls still like my post)