It'd be big, specially for Trezor as a company; but I don't think it would be that big or even profitable in terms of money if you think about it. Being offline devices, the damage would be considerably mitigated by time alone. You'd (hopefully) get an email from Trezor an hour after the first few cases confirm a trend warning you to not plug and power your hw anywhere.
Going through the long con of modifying a chip design, going into production, distributing to retailers/waiting for the chips to be used by a company, and then sold and used; only to then choose a date when enough are in circulation to trigger the 0day, and only get as bounty the first random few wallets that come online that day... There are probably easier less involved ways to be a criminal.
They could try to simply sneak out a couple packets with key data every so often, and just acumulate them for the future; but that would get easily found out by people using them in secure networks.
I agree that it is pretty unlikely, but I would point out that the knock off chip fabs are
already technically criminals, and the tainted parts would operate normally in non trezor applications and would be sold at a profit.
You're right.
I imagine it could also act as an "added bonus" set in there for the future, the chip's "retirement plan". When the chip becomes obsolete due to a newer version or competition, there'll still be plenty of wallets lying around in hidden spots. Great time to strike.
EDIT: I will never get a hw wallet now.