1) That was not "trivial", by any stretch of the definition. It was a 3-year long campaign by a (suspected to be) nation-state (or similarly resourced) actor! I don't think you can get any farther away from "trivial" if you tried.

2) From your link, it says: "Ubuntu 24.04LTS was a month away from being shipped with this backdoor, with other distros being on the same boat. Maybe the best way to describe it is this: had it gone undetected, Linux servers would have been running with a bomb waiting to be activated remotely." and "Luckily this backdoor was discovered in an early stage, and most of the Linux user community stays safe"

So, the security community _did_ notice.

That was an attack targeting an optional dependency that receives significantly less scrutiny than OpenSSH proper. Which to be fair, is probably also the most plausible path if you wanted to attack Signal.

I would quibble with calling it "trivial" though.