An update is irrelevant. As I explained earlier in this thread and in the tweet just above, the whole point of Ledger's Secure Element was that the private keys could never leave the Secure Element. We now know that claim is a lie, and has therefore been a lie since day one. A simple piece of code is all that is required to extract your private keys. All Ledger devices are vulnerable whether or not you opt in to this or update to the latest firmware.
Honestly, more and more I have the feeling that there was a big miscommunication about how everything was going to work and the sentence still cannot be removed. But, the problem is already done and they will hardly be able to go back.
Once doubts are generated at this level, it will be difficult for anyone to go back to believing that portfolios do not have a back door - especially those that are updated in the future.