This report has been pretty soundly refuted. The so-called vulnerabilities require root privilege and/or physical access to the machine. If you have root privileges and physical access to the machine, security has already been compromised. Linus Torvalds said that this looked more like stock price manipulation than a security advisory.
CTS Labs gave AMD 24 hours notice before going public, but the usual practice is to give a company 90 days to fix a vulnerability before it is made public. There is much that is hinky about this whole episode, including the large volume of short sales of AMD stock in the days before the CTS report was publicized.
Within a few hours of the CTS report going public, a company called Viceroy Research released a 25 page document called, “AMD - The Obitutuary”. Hard to believe they could produce such an extensive document in just a few hours, so it seems likely that they had advance knowledge of the CTS report, maybe even funded it. Viceroy Research has done this sort of thing before, attacking the shares of a South African company.
A couple of searches on the interwebs will confirm everything I’ve written.
That said, AMD’s security processor is a black box, not open source, so I don’t see Purism using AMD processors as long as that is the case.