I think it has more to do with ignorance. Device attestation is not trivial to adopt while both Apple and Google promise you a very simple abstraction. So it takes being informed and having leverage in the process to be able to make a difference.

For me the blame is squarely on the technical “experts” who are behind the architecture and implementation of such apps.

Device attestation is precisely the thing I do not want my government to ever adopt. I have a Danish CPR number. They've given me a FIDO secure token generator as my phone is degoogled for MitID. Most Danes don't know what those words mean, and if they did, wouldn't understand why I distrust (all) governments (and indeed things! Three default scientific position is scepticism, albeit with varying degrees of priors)

The thing is, device attestation is fundamentally incompatible with digital freedom so governments should never adopt it to begin with. We lived without digital solutions that depended on device attestation and we will continue to do so.