Fair would be sending executives to jail for hacking. Releasing a non-backdoored BIOS was the absolute minimum.
Edit: As pointed out by josteink, the BIOS wasn't backdoored - it was used to install a backdoor. But calling what it installed "insecure Windows-software" is also inaccurate. According to https://en.wikipedia.org/wiki/Superfish#Lenovo_security_inci..., its purpose was man-in-the-middle attacks against the user. So I still think criminal liability and jail time would be just. Ordinary people have been sent to jail for far less.
To be fair and technically correct, the BIOS itself was not backdoored.
The BIOS itself was fine, but it contained insecure Windows-software which it requested/instructed Windows to install.
Install any other OS (like Linux) and there would be no backdoor at all.
To be clear I’m not trying to defend Lenovo’s actions here, I’m just trying to be clear about what this incident was actually about. The simplistic description is IMO a bit too simplistic in this case.
Edit: As pointed out by josteink, the BIOS wasn't backdoored - it was used to install a backdoor. But calling what it installed "insecure Windows-software" is also inaccurate. According to https://en.wikipedia.org/wiki/Superfish#Lenovo_security_inci..., its purpose was man-in-the-middle attacks against the user. So I still think criminal liability and jail time would be just. Ordinary people have been sent to jail for far less.