The most stupid is the interplay with regulators: on one hand grapheneOS is far too secure if it comes to CSAM or organized crime on the other hand it is not secure enough for banking (most of the 2FA comes from the interpretation of the PSD regulations afaik).

It's not stupid. It's governments being extremely cheap. Banks (large banks are part of the government everywhere, at least when it comes to policy) and governments are totally dependent on certification (meaning someone to check security patches on devices), effectively a group of people that have some budget to check a lot of software version of a lot of devices. This doesn't have to be many people.

Nobody's willing to pay for it, so only Google, who have to do this for a bunch of other reasons, actually does it.

On the contrary, governments are imposing other restrictions on OS'es (like EU Chat directive), as well as making more and more critical government functions (like eID, and the various equivalents, and the banks) that can never work without OS certification, are utterly dependent on the App stores (it requires the ability to replace apps on user's devices without being detected), and thereby driving people deeper into Google and Apple's arms. Despite the fact that this makes the EU totally dependent on yet another US company, making this stupid. And, of course, it makes securing anyone in the EU against US spying an exercise in futility.

But it saves a little bit of money now, and gives the US, ie. Trump, yet another loaded gun aimed at the head of the EU economy. What could possibly go wrong?

Sell your airbus stock.