It's a big deal if you have fleets of machines which travel outside your control. It lets you treat them as identical (modulo hardware damage).
It's also a big deal because on a conventional machine, malware remotely can download, root, reflash, and persistently doom you, no physical access needed.
> Why wouldn't you be able to treat them as identical?
If a given machine can have arbitrary software installed on it, then that machine can behave differently than other machines in the fleet.
If all machines in your fleet can only install and/or run software signed with the company key, then the company can ensure that the software load for all machines remains the same and -thus- all machines behave identically.
> How would being able to change the sync/verification server make Chromebooks vulnerable...
If the software repo and/or verification server can be changed by a third party, and the trusted keys installed in the machine can be changed, then it's trivial to pwn such a machine. If only the servers can be changed, then it requires loss of control of one's signing keys to pwn such a machine. [0]
[0] Or -obviously- a sufficiently bad privilege escalation bug can pwn such a machine.
It's also a big deal because on a conventional machine, malware remotely can download, root, reflash, and persistently doom you, no physical access needed.