Keep in mind in the case cited they used physical access and USB to hack the set. If the spooks were really keen they could hack a set before the owner got it, or apply pressure to the maker to help them.
True, but a normal bug could be found, whereas finding your TV in the living room may come as less of a surprise!
What smart TVs? They are normally on the network full time. Mine appear on windows machines as a DLNA compatible output device.
Some of the older non smart TVs had ethernet only for updates etc.
Real security is a difficult game, and the rules change depending on who you are trying to defend against.
A combination of certificated sources, and signed binaries is probably the best approach.