Don't update newer firmware because you could enable access to your keys, and some government could potentially seize coins from you in future, especially if you live in US, UK and France.
Ledger is a failure and I think no one should rely on their words anymore, at least since things are clear. Are you sure that your keys weren't even revealed before this latest firmware update and it wasn't backdoored the whole time you were using it?
That is correct. To the best of my knowledge, their firmware is fully closed source, so there is no way to know whether they had code in it in the past, which extracts seed phrases from secure storage and uploads them somewhere.
Someone already mentioned that with their track record, if they had done such thing en masse, they would already have lost those seed phrases in a hack or data leak. But it's definitely possible that they had a backdoor to selectively extract some wallets' seeds and / or addresses (e.g. for tracking / surveillance purposes).