Realistically it’s not within their power to determine whether or not a provider was compromised due to the vulnerability within their software and not within their scope either.
From what I have seen they are being responsible about it – notifying their users and providing patches – not sure what more they could do short of avoiding the issue to begin but that chance has already passed – too late now.