"run on top of" is for compatibility. Need special boot loaders for EFI thus need either a BIOS compatibility for older OSes that don't have EFI boot loaders. Example, only 64-bit versions of Windows can boot with an pure-EFI motherboard. And no, it doesn't need to be replaced to meet MS's mandate. The only thing MS says is that SecureBoot needs to be on by default to receive the Windows 8 logo certification. Which in itself in not required.
Whether one can turn SecureBoot on or off is up to the discretion of the OEM. There is nothing within the logo requirements that specific that SecureBoot cannot be turned off.