The problem with that approach is if a critical vulnerability has been discovered in the current firmware, and you are advised to upgrade ASAP. If you also want to wait a week (or longer) after the latest firmware has been released to ensure that there is nothing wrong or malicious with it, then you are essentially stuck without being able to safely use your device in the meantime.
Sometimes is better to wait and not use device for few day or week, then to download something potentially dangerous. In this case, users should check whether the upgrade is legitimate and how necessary / critical is it.
I can see where you are coming from, and in an ideal world there would be no issues whatsoever, but this is an unrealistic standard to hold. Bugs will always be discovered, and we can't really expect them to fix a bug they weren't informed about. This video was posted on the 27th and they had addressed it by the 28th. I think that's pretty good.
You're totally wrong, I do not come from such a world where bugs/exploit do not exist. My point here is that Ledger is completely relies on some other people (outside from company) which reveal security vulnerabilities in their products. You say that they should wait and do nothing, completely relying on their Bounty Program?
Video posted on 27 December and Ledger answered next day does not mean anything, it is just comment and not a solution, what is good in that?