Let's also not forget that it took a famous hardware hacker three months to discover a vulnerability in a Trezor he had physical access to. And the only reason it worked was because the device used an outdated firmware version that made such a vulnerability possible. That has been patched a long time ago. Trezors remain vulnerable to physical manipulation, but you must know what you are doing. A random thief doesn't. Even if the required hardware for a successful attack isn't expensive, it's not something most people keep in their garage or know how to use.