I'm pretty sure he's just referring to the fact that if someone can push an ota update and you have something like iMessage that has encryption keys on the device, there's nothing stopping a company from pushing an update out that compromises your security. End to end isn't compromised, it's potentially compromised. Smartphones are the schrodinger's cat of security because while they're considered "secure" right now, they could be blown wide open via automatic update any second. Telegram is encrypted end-to-end, but if you have automatic updates on, there's nothing from stopping the developer or rogue actors (or states, like russia) from pushing an update out that uploads all of the encryption keys to their servers and decrypts everyone's messages. Automatic updates are fundamentally insecure because they can instantly compromise your security. If you want true security, go with open source and review (or wait for reviews) of all code changes that happen in the apps you use, and you want a distro that either doesn't have an os ota system or allows you to disable it. Also, there is potential for baseband attacks because we're all at the mercy of telecoms and no one runs custom firmware or opensource code on their baseband processor so who knows what vulnerabilities lie there.