Just because there are vulnerabilities found does not mean that they are inherently insecure. Do you say the same things about software wallets too (many of which have had vulnerabilities found and patched, just like with these hardware wallets)? Do you say the same thing about the general purpose computer you use which you don't even know how it works? Every piece of software and many pieces of hardware will have some vulnerability found in them; given enough time, it's almost inevitable.

That's slightly misleading. This 15 year old has dedicated a lot of time into working on hardware wallets, particularly in their firmware. He's been involved in numerous other vulnerability discoveries in the past with Trezors (and possibly Ledgers). The kid is very smart, probably smarter than you when it comes to hardware wallets. He's not just some random 15 year old who found this; he actually dedicated a lot of time into learning about how hardware wallets work and has been working with them for years.

I don't think you understand what an evil maid attack is. It is, by definition, a physical access attack. You need to have physical access to the device in order to perform any of the known vulnerabilities (which have since been patched). An evil maid attack means literally that someone (like a maid) enters your room physically and does something malicious to a device (hence an evil maid).

Vulnerabilities take time to fix and release. They can't just publish that there is a vulnerability or details about the vulnerability before a fix is available. It probably took them 4 months to figure out a solution. Also, Ledger can't force users to update, and there has been plenty of alerting (which, by the way, also cannot be forced).

There's a hardware and software attestation process that you can go through to ensure that your Ledger has not been tampered with.

https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/
Scroll down to "Disclosure timeline"