It’s important to note that most of those CVEs are to do with vulnerable software that manufacturers put in the TrustZone protected environment (many of which are garbage). There are very few vulnerabilities reported about the hardware itself.
Personally, I've always thought the fact these vulnerabilities keeps happening demonstrates that TrustZone's secure execution environment just isn't designed well.
If you're a phone designer, and you're going to put unlock PIN validation into a trusted execution environment? Sure, makes sense. If you're going to put your widevine DRM code into a trusted execution environment? I guess.
But why did they make a design that means a vulnerability in the DRM code allows an attack on the PIN validation code? That means the attack surface is huge.
You gotta keep these clowns separated if you don't want them spraying each other with water and throwing pies down each other's trousers.
It’s important to note that most of those CVEs are to do with vulnerable software that manufacturers put in the TrustZone protected environment (many of which are garbage). There are very few vulnerabilities reported about the hardware itself.