so, reformatting the device and updating the software/firmware should prevent such a supply chain attack.
In theory, yes. The remote attack would only work if someone had prior physical access to the device and were to install a malicious software on it. If you moved from that back to an official firmware, I guess you would be safe. At least that's how I understood it but I am not sure.
This isn't too serous of an issue anyways. It can only become a problem if someone else with enough hardware and software knowledge had access to your wallet. They wouldn't be able to extract PINs and keys but they could install a software that generates weak/biased entropy for your seed and then use that knowledge to remotely empty your wallets in the future.
Speaking of vulnerabilities, one of the older Trezor models has an unfixable vulnerability that allows extracting the seed when the device is in physical possession and when no passphrase is set.
Both the Trezor One and Trezor T suffer from the same vulnerability. That attack vector is fixed in the Safe 3/5, though.