e-Estonia and X-Road have gotten a lot right over a long period of time, but selecting and relying on Gemalto was clearly not one of them--rolling out useless, vulnerable cards for 9 months is impressively bad execution.
In its current design and implementation, X-Road is interesting. For example, Data Embassies are a notion that I can get behind. I suppose that is why there are so many countries evaluating it.
The mistakes made have been described thoroughly by Arnis Paršovs if you want to read more, but I want to say that Gemalto is not necessarily the true cause. For example there are known cases of keys being generated outside the smartcard, Gemalto or no Gemalto, you can make grave mistakes when you have flawed processes or rules.
In its current design and implementation, X-Road is interesting. For example, Data Embassies are a notion that I can get behind. I suppose that is why there are so many countries evaluating it.