This doesn't really make a lot of sense on face value. If there was widespread backdooring on these machines, which are everywhere, you'd think any of the multitude of excellent private security firms who work on this stuff would have found something by now. Beyond that, you'd think that the NSA et al would at least try to steer other branches of the government subtly away from Lenovo kit, when in fact it's pretty actively promoted in the public sector as a reliable choice.
So no matter how you slice it, it sounds like this couldn't have been both widespread on ongoing. Either it was limited to a certain run early on and has been shelved as a bad idea, but the NSA just doesn't want to run a risk of recurrence no matter how small; or, alternatively, it could be that bugged Lenovo machines were part of a specific operation against the NSA and there is and never was such a program at Lenovo in general distribution. It's even possible the malware was added somewhere between it leaving the Lenovo general assembly line and being on the test bench in the USA.
Either way, given all of that (which admittedly includes some assumptions, but I think reasonable ones) I'm even more confused about the point of this announcement.