I think the real reason people don't take supply chain endpoint security seriously is that it too quickly regresses to distrust of the OS and hardware. At that point you abandon smartphones entirely.
Thats the paranoid answer. The much simpler answer is that you don't maintain the software on it; updates are done silently by whatever the hardware vendor decides passes their muster (or motive).
You should! They are government surveillance devices that broadcast their position at all times along with every bit of data they gather from their array of sensors: gyro, mic, camera, radio
