Now, whoever isn't lazy/incompetent/in bed with the CIA will implement required changes to eliminate vulnerabilities.
Why don't we eliminate the CIA instead? They are the problem.
It's "legal-ish" for the CIA to install malware on the devices of US citizens. It is also legal in the US for the CIA to install malware on the devices of foreigners anywhere in the world.
However, in most countries of the world, a foreign agency installing malware on devices of its citizens is a crime of espionage, or an act of war. Unfortunately, the CIA doesn't care about harming US citizens, and most definitely doesn't give a rat's ass about harming folks of other countries. Any legal action against the CIA will get you nowhere, really fast.
So how can you fight back? Well, kick the CIA where it hurts . . . right in their balls. The CIA has two types of agents in foreign countries, so-called "legals" and "illegals". "Legals" work in a consulate or embassy and have diplomatic immunity. "Illegals" are undercover and have no diplomatic immunity. You have no chance as a common citizen of identifying an "illegal".
"Legals", on the other hand, are quite easy to spot. They will usually have some innocuous sounding title, like, "Under Secretary for Cultural and Economic Exchange". So they can just hang out at cocktail parties and listen to political gossip. "The Economist" recommends: "Just look for someone who is obviously too clever for their job." CIA agents also run the visa department of US embassies and consulates. The want to check out folks even before they travel to the US.
So just visit your local US embassy or consulate, ask for a visa to the US. The guy who interviews you will be a CIA agent. Do NOT bring any devices with you! Wait outside after closing time for the agent to walk outside.
Then just kick him in the 'nads. If enough people in the world would do this, maybe even the US might think about taking notice of this.