I haven't got a Mac to and with that update on but it might be in /Library/Receipts/InstallHistory.plist.

You could create an extension attribute to read it out.

You could read the receipts like David suggested to see if the install of the firmware update was logged:

 cat /Library/Receipts/InstallHistory.plist | grep "Mac EFI Security Update 2015-001"

A more accurate option is to check which version of EFI is actually installed. This would take a bit more work to put together, since the versions are different for each model. You can see the current EFI version per model in the Apple KB article here: About EFI and SMC firmware updates for Intel-based Mac computers

You'd just need to match up the versions in that KB with what the machine reports is installed, which you can gather with this:

system_profiler SPHardwareDataType | grep "Boot ROM Version"
      Boot ROM Version: IM142.0118.B02

Seems like checking the boot ROM version would be the simple way to determine that (although you'd need to know the before and after boot ROM versions on all your different Mac types)

After seeing this discussion I had the idea for an extension attribute. See the code below.

GitHub

#!/bin/bash

model=`system_profiler SPHardwareDataType | grep "Model Identifier" | awk '{ print $3 }'`
appleSite=https://support.apple.com/en-us/HT201518
machineVersion=`system_profiler SPHardwareDataType | grep "Boot ROM Version" | awk '{ print $4 }'`
currentVersion=`curl $appleSite | grep -A1 "$model" | tail -n 1 | sed 's/>/ /g' | awk '{ print $4 }'`

if [[ $machineVersion == $currentVersion ]]; then
  echo "<result>Current</result>"
else
  echo "<result>Update</result>"
fi

exit 0

Thanks @brockma9, this works well as of October '15 on Mavericks... j

@brockma9 thanks for sharing!

Unfortunately, Apple hasn't updated the page since March so the EA shows current machines as update :(