Why does that matter at all? There's no persistence granted by the debug commands. When you flash it with your firmware, it's clean. If you trust the firmware that ships, they can do arbitrary code in it, so why care about a few debug interfaces?
You're not responding to the full statement. Grandparent was saying that a supply chain attack is not possible with this exploit ("exploit", I guess -- again there's no security boundary being crossed here), not that supply chain attacks don't matter in the abstract.
There was no such attack demonstrated. The debug commands operate on the memory of the running BTLE controller. They can't be used to modify persistent firmware.
You order 100k chips for your products and while in transit they get compromised by a this party via the said commands
In any case either it is gross incompetence or deliberate malice.