So, other than Dual_EC_DRBG, NIST's cryptography may not be backdoored, but maybe backdoors aren't needed when the standardized cryptography is far from the state of the art and full of holes that weaken too many projects. Maybe the lack of secure-by-design cryptography is a feature for some, not a bug. Or maybe there are legitimate reasons for promoting legacy algorithms, who knows.

The thing is, modern and secureby-design cryptography exists, notably from D. J. Bernstein:

• ChaCha20 for secure and fast encryption
• X25519 for key exchange
• Ed25519 for signatures
• BLAKE3 for hashing, key derivation, and symmetric signatures (MAC) (BLAKE3 is based on a slightly modified core of the ChaCha20 function)
• The Safe Curve list