Ha! apt-get had 17 vulnerabilities in the last few years, two of them with very high severity score, easily exploitable [0]. For example:
CVE-2019-3462 Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine.
Yes, it's true... for redhat the worst rpm cve I could see from a quick google was back in 2012.
The CVE you mention is about the transport part, it's not easy to get right and everything that goes on the network is at some risk of that. Still that seems a different kind of implication than nobody checked if packages could be tampered successfully for 3 years and afterwards nobody changed the infrastructure.
Yes it was fixed when pointed out to them, after all openwrt users from 18.06+ had been exposed to this for three years. There's no known way to guard against bugs in the end, but... you can empirically test... they didn't check at all if their package signature check could detect tampering after patching it? For 3 years?
Then no infrastructure changes as a reaction to what happened? Like I said good for them, the PR mentions they will get some funding this is the kind of thing they can spend it on.
Fixed that for you.