As far as I understand it, you can't emulate button presses by anything coming from outside (we have to believe the Ledger morons here, because black-box firmware)
That means everything else you said is irrelevant. No offense, but everything else you said relies on believing Ledger regarding how their hardware wallets work, which they've already lied about many times.
I don't see any obstacle to push a firmware update for those devices which signals "extract seed and phone home" without user's consent and button presses.
Exactly.
How do we know the current firmware can't do this already? We don't. That's why I stopped using Ledger hardware last year and moved my Bitcoin to a seed that never touched Ledger hardware.
To anyone who says Ledger hardware wallets can't already extract your seed without you pressing a button to confirm it, I say: Prove it. Even Ledger admits they can't prove their firmware doesn't have any backdoors (they can't prove it without making the code open source).
That's like somebody saying "Your name isn't on this list!" OK, show me the list. "I, uh, can't do that."
Don't trust your Bitcoin to closed source code, especially not after the authors of that code lied about their code. Why does this even need to be said?
The buttons are software controlled, not more, not less.
The device uses closed source firmware with key extraction capability.
The device cannot be trusted because:
The firmware cannot be trusted.
And the company cannot be trusted.