Using insecure browsers on insecure unpatched devices for trusted secure state-level voting is a bad idea to begin with.
If they decide to go ahead with this approach, they should at least try to harden their system as much as they can against all possible approaches.
As an example, a few months ago the Swiss CCC demonstrated a DNS attack on the e-voting system of Geneva, which was easy since they deployed neither DNSSEC or HSTS Preloading. While DNSSEC is not trivial to deploy (but almost trivial when using a DNS server like Knot), HSTS Preloading can be done in two minutes and there's probably no reason not to do it.
A few months later, actual state-level votings are done through systems by both Geneva and the Swiss Post without DNSSEC and without HSTS preloading.
The Swiss Post is just doing the minimal they have to in order to fulfill the law, while at the same time using the intrusion test as a PR instrument. If you demonstrate a practical and scalable attack, but require a MITM attack vector (e.g. with a root certificate, see Superfish case for example), then they can claim it's out of scope and that their system was unhackable.
An e-voting system with an intrusion test is better than an e-voting system without an intrusion test. But the consequences of such a test and the way it's communicated is very problematic.
No, it absolutely doesn't. The scope for an electronic voting system is anything and everything that a hostile world power's intelligence agency might be able to try. If you want to use a bounty program to convince people a voting system is secure, it needs to include immunity for kidnapping and torturing key staff members and their families, and other real-world activities, in addition to all the electronic attack surface in the universe.
This is clearly unreasonable... and so is electronic voting.
When comparing one system to another you should generally do just that. Not compare one system to an absolutely perfect and flawless system. The NYT had a pretty solid article [1] on the fiasco that happened in Florida in their 2018 elections. But I think a couple of paragraphs cut to the heart of the issue:
Florida’s protracted 2018 midterm election has revealed the warts of an imperfect voting system that normally go unnoticed. This time, the world is watching, and South Florida election officials are being exposed for sloppy processes that in some cases, a judge found this week, violated both state law and the Constitution. Yet those very procedures are common during elections, political analysts in Florida say; they just don’t get much attention most of the time because most elections end with wide enough margins of victory that few people scrutinize them.
Our current election systems are pretty bad, as illustrated by the numerous examples in that article. And that's all just a mixture of internal ineptitude and maybe a pinch of decentralized maliciousness. If you're going to measure the security of a system by some standard of 'cannot be broken by enemy states kidnapping and torturing key staff members and their families [to coerce exploitable action]' then it should be clear that our current system fails abysmally. So you need to compare the pros, and indeed the cons, of both systems relative to one another.
To be fair, the last two are spearphishing attacks and so are limited to manipulating a single vote. While important, the scope of this test is to ensure that a single actor cannot manipulate masses of votes at once to skew things heavily in one direction.
The first one makes sense as they still have an important service to run outside of the scope of just voting - no one wants Swiss Post to go down for a month while they pen test because some hacker decided to bring it down.
Attacks on other Swiss Post systems or applications
Attacks on the voter’s end device
Attacks based on the assumption that voters do not keep to instructions, e.g. a voter does not check the ballot casting key"
so like... they pass the test, and then they declare "it's secure! we did a 'hacker' test!". but then they deemed these giant vectors out of scope...
seems dangerous in that it fails to demonstrate that the thing is actually end to end secure, yet creates a straw man that sounds awfully close...
sure it's a hard problem. that's the point.