Setting parameters in the device is different than replacing the firmware. The attack requires replacing the firmware. As far as I know yubikeys have never been able to update firmware after they've left the factory. In the forums you will see yubico people offering to swap devices because of problems related to outdated firmware.

There was also a blog post by yubico confirming that the badusb attack is irrelevant on yubikeys. https://www.yubico.com/2014/08/yubikey-badusb/

I think the take away is that all the devices are read only except the Neo and the Device Firmware Upgrade (DFU) implementation on the Neo "requires the new firmware image to be signed by [yubico]. Yubico does not endorse nor support use of DFU for users"

The Neo also has javacard capability that lets you load applets. In the latest devices unless you purchase the developer editions, the javacard apps cannot be updated.* Older Neo's allowed you to build and load your own javacard apps.

* I'm not entirely sure about whether in the latest Neos the javacard apps can be updated to new official signed yubikey versions or whether the javacard apps cannot be updated at all...

The important part is you can't read your private key out, nor update the firmware to something that allows you to read the private key out. The customization you can do is unrelated.