To the linked article: the whole thing is mostly a big PR disaster for Ledger, even though what is said in the article is technically true.

it has always been possible to extract users’ keys with a firmware update

At least in Trezor when you do a firmware update, it wipes your seed from the device and you have to reseed it (maybe not with every update, but I do updates so rarely that there is always a change in major version). That is the moment when rogue firmware could send the seed to the attacker. Such activity would be fairly easy to spot, which would ruin company's reputation and wipe their future profits, but technically it is possible.

the government could access Recover customer assets through subpoenas

Yeah, that's why you don't set up such service and if you do (because you prefer to extract money with bogus service instead of offering solutions that make your product easy and safe to use even for the least tech savvy customers) you place one part of the recovery with a company in Singapore, second in Switzerland and third to be held by customer's lawyer.

you only get subpoena like this by governments if it's a serious act like you know terrorism

For example the kind of terrorism when you send couple of bucks to help Canadian truckers protesting against their basic rights being violated :o)