Say that even if we've got the old nano s but they can still try to do something and update and force an update for its firmware, is that right?
An update is irrelevant. As I explained earlier in this thread and in the tweet just above, the whole point of Ledger's Secure Element was that the private keys could never leave the Secure Element. We now know that claim is a lie, and had therefore been a lie since day one. All Ledger devices are vulnerable whether or not you opt in to this or update to the latest firmware.