Supply chain attacks also show one reason that using older software like Debian stable may be a better plan for things that matter. All new software versions need some time to be tested and vetted.
It also shows the importance of security in depth. That less is more in terms of code dependencies and complexity. That knowing dependencies is as important as knowing your code.
I would consider the xz incident to be a success. The supply chain attack was found pretty rapidly. We have already seen many of these and we will see more. Ones I remember off the top of my head include Linux Kernel, NodeJS, Python PyPI.
I would not over blow this. Security is an ongoing activity and all security is porous.