An update is irrelevant. As I explained earlier in this thread and in the tweet just above, the whole point of Ledger's Secure Element was that the private keys could never leave the Secure Element. We now know that claim is a lie, and has therefore been a lie since day one. A simple piece of code is all that is required to extract your private keys. All Ledger devices are vulnerable whether or not you opt in to this or update to the latest firmware.
But at this point with Ledger's statement, all devices (even coldcards for example) that have the same secure element chip are vulnerable or am I wrong? Because if it's true that until yesterday you couldn't extract the private key, today it seems that it can be done simply via software, and who can guarantee me that it can't be done with others as well?