I read your insightful comment and hope someone will properly address this issue in this comment section. But I am not holding my breath. I am not well-versed in this subject matter. Therefore my thoughts below might be incorrect. However, it seems that the inherent conflict of interest that is set in place when a hardware vendor puts proprietary code on their hardware can best be solved by separating hardware sales from software sales. This remind me of the Chinese wall Wall Street firms legally yet typically only purportedly to set up to prevent the illegal "leakage" of corporate inside information. In other words, if hardware vendors were to only sell hardware, then this problem could likely be solved with free and open source software. But frankly I suppose this comes down to, "Trust the hardware vendor to be vigilant about properly maintaining and updating security" This seems like a sure fire recipe for hackers finding and exploiting security vulnerabilities. I would be glad for others who know more about this than I am to comment about this important issue. At this point my sense is the real message might be something like: "Go develop exciting and useful IoT applications with the wonderful new ESP32... and then just wait until some evil hacker wreaks havoc with the hardware your ESP32 is controlling."

Yay krackattacks.com to name a new one.