The problem is if you can spend e-cash over and over. When the e-cash debate started, c. 30 years ago, some of the proposals would have allowed that. Hitachi produced a smartcard chip back then, H8 based of course, which they said was unbreakable
but
- nobody really trusted it (all the hacks discussed here were known back then... google on the Capstone Clipper chip and the special features it had; ignore the civil rights stuff).
- the banking business would not touch e-cash on which there was no central "database" (fantastic for tax evasion, etc)
Then the whole e-cash business basically died because it became obvious nothing can be trusted.
AIUI, bitcoin cannot be spent multiple times so your loss is limited to the contents, and that's fine.
Yes the 32F417 is > 10 years old but is there another software-compatible and pin-compatible chip which has "strong" RDP2? If ST do one, they are admitting the previous ones are weak. But give it 5 years and the new one may be broken too.
I did a quick google and there is the ST33K but much less RAM, much slower, "Hardware security-enhanced DES accelerator" suggests it was designed > 15 years ago, but hey it has "Highly efficient protection against faults"
Interesting debate but every time someone comes up with something, 30 secs on google finds a problem. Ultimately, if RDP2 was secure, you would not be able to improve on any crypto co-processor (except on speed of RSA).