I don’t think we actually have negative evidence of this: we don’t in fact know that the xz attack took years to plan, or that its failure signals the failure of other attempts. I think it would be wrong for us to assume this.

(Plus, my recollection is that Debian didn’t catch it. It was caught by a downstream user.)