Look at Intel/AMD etc with Meltdown and Spectre and they are a huge company.
yup, i've been talking about the large attack surface and questionable authentication practices underlying hardware wallets for a while. the vulnerability seems to exploit the shared attestation (vs. authentication) problem that eric voskuil touches on
here.
the "supply chain" attack he outlines is pretty worrisome. better steer clear of 3rd party resellers on ebay, amazon, etc!
I am sure you also saw the Snowden leaks where he was talking about compromises in the shipping chain itself! e.g. opening packages in transit to compromise them.
The shear surface area of the attacks that can happen is immense - a nation state attacker or just a rogue worker at Amazon, Alibaba, DHL, UPS, FedEx or any other world-wide shipping company. A compromised component manufacturer. etc.
At least on many of them the software is open source, but the components themselves are rarely open source design and manufactured.