Yea, that's the ups and downs of it: user-updateable firmware is a security risk, but if you have a bug, it's a across-the-board recall. And it's not just them, Yubico had one or two in the past, and so did Nitrokey. (Nitrokeys have writeable firmware, but the programming pins are inside the case, which might make it the worst of both worlds?)
And of course, you have, by design, irretrievable secret key material or serial#s on the devices. It's a branch of IT that can become effing expensive, real quick. (It still might be the best we have right now, though?)