That is just the surface. The SEs they have used are in general insecure, lack any security certifications, and the Coldcards are vulnerable to many supply chain attacks that I have not published yet. Modern attacks with the same method you mentioned btw would cost at most $2K with a DIY setup.