Because of that is always smart to wait some time with updates, but some users just click update/upgrade button as soon as they see it.
The problem with that approach is if a critical vulnerability has been discovered in the current firmware, and you are advised to upgrade ASAP. If you also want to wait a week (or longer) after the latest firmware has been released to ensure that there is nothing wrong or malicious with it, then you are essentially stuck without being able to safely use your device in the meantime.
I am not impressed by Ledger response regarding this issue, they shoud fix that long time ago (if they know for this), and not wait that such things are be publicly displayed.
Ledger have a Bounty Program (
http://www.ledger.fr/bounty-program/) for people who find bugs, so they can be responsibly disclosed and patched. Ledger even said in their response that "We regret that the researchers did not follow the standard security principles outlined in Ledgers Bounty program." I can see where you are coming from, and in an ideal world there would be no issues whatsoever, but this is an unrealistic standard to hold. Bugs will always be discovered, and we can't really expect them to fix a bug they weren't informed about. This video was posted on the 27th and they had addressed it by the 28th. I think that's pretty good.