It definitely is bad, but it may not be as bad as I thought above.

It sounds like they might actually just be relying on certificates pre-issued by a (secured) CA for specific hosts to MITM Web traffic to specific hosts, and they might not be able to MITM all TLS traffic, across-the-board. Not sure whether that’s the case, and I’m not gonna come up to speed on their whole system for this comment, but if that’s the case, then you’d still be able to attack probably a lot of traffic going to theoretically-secured internal servers if you manage to get into a customer network and able to see traffic (which compromising the software updates would also potentially permit for, unfortunately) but hopefully you wouldn’t be able to hit, say, their VPN traffic.