It seems to vary by country, presumably depending on how initial provisioning is done by carriers in that country. Here’s your reading starting point: Simjacker - Wikipedia
Forum discussion (found using “search” but that was easy for me because I knew what to look for): SIMjacker: does it affect Librem 5?
Blog post from Purism itself as to how this does or does not apply to the Librem 5: SIM Application Toolkit: Avoid Being Exploited – Purism
NB: All of these are discussing a specific exploit. I was making a more general point: Rich functionality, overengineered, in a lightweight platform (the SIM itself) with potentially no possibility of underlying software update, and all closed source (both the applications and the underlying software) … is a toxic combination.
And a more general point to @amarok: Do not rule out the SIM card as an attack vector, which I’m sure he understood.
But let’s come back to … there are many, many ways in which mobile phones are attacked and most of them are more likely than directly attacking the SIM. You, as the target, of course need to defend against all of them. 