My point here is that Ledger is completely relies on some other people (outside from company) which reveal security vulnerabilities in their products. You say that they should wait and do nothing, completely relying on their Bounty Program?
I never said they should wait and do nothing. They also do not solely rely on external sources, and as with Trezor, have a team who are constantly analyzing and improving their device's security. All I said was that there will always be bugs, and there will always be bugs which the developers miss and are found by third parties. There is a Bounty Program and an established method of responsible disclosure of potential bugs, which the security researchers in HeRetiK's video ignored, and as soon as the bug was revealed, they got to work on it.
it is just comment and not a solution, what is good in that?
I think it's worth repeating that while they installed a custom bootloader on the Ledger Nano, they haven't been able to gain access to the secure element and they haven't been able to extract private keys, PINs, seeds or funds. The bug is non-critical and they've stated it will be patched on their next firmware release. I don't think it requires an emergency firmware release to fix.