This is a problem, and was already fixed by a firmware update.
Which took them close to 4 months to put out and still is not properly alerting & forcing users to update.
What is the source for the 4 months? As far as i know this has been fixed pretty fast..
Assuming you can trust everyone who handled the package from when it left their shipping dock till when it wound up in your mailbox.
You don't have to trust anyone. You can verify everything yourself (hardware + firmware).
The ledger team has published a guide:
https://support.ledgerwallet.com/hc/en-us/articles/115005321449-How-to-verify-the-security-integrity-of-my-Nano-S-Of course, the fact that we have to use closed source computers to run Bitcoin Core, makes it impossible to be 100% safe esp. against state actors.
You don't have to use a closed source OS. You have decided for yourself to use closed source software.
Everyone is free to use the software he wants. There are a lot of open source linux distributions available on the internet.