I've been thinking about this, but my android-fu isn't too strong. I still need to do a bunch of research.
There are three warning messages - yellow, orange, and red. I think you get the yellow one when the bootloader is unlocked and the red one when the verity checksums do not match the actual rom (I.e., something has been modified).
I think one way would get rid of the messages would be to relock the bootloader and also update the checksums so that they do match. I might be missing something here, but the issue with locking the bootloader, is that we won't be able to flash any new recoveries. I think this can be worked around by flashing the new recovery as a zip file, not an image. My marshmallow-fu isn't great in this area, so I'm not sure what has changed recently that prevents this.
The red warning might be harder and I need to do more research into the checksum process and how the rom is verified. I suspect this has to do with the dm-verity bits.
Edit: OK, I did 20 mins of "research" - http://source.android.com/security/v....html#overview
We will get the orange warning if the bootloader is unlocked.
If the bootloader is locked, we will get the yellow warning whenever the signatures don't match the OEM key, but do match the public keys (user, not OEM) used to sign the images.
The red warning can be avoided by signing the images and including the public key.
As noted above, the images can be changed to reduce the eyesore. In a more ideal world, we would just get the yellow warning.