As far as I know TREZORs are not delivered with working firmware now. You have to do an update and you should not trust your new TREZOR if it is pretending to have the newest firmware. Wouldn't that take care of the backdoor?
Theoretically, it should take care of it, but I am quite sure that there were a lot of users who didn't know that the software would get downloaded directly from TREZOR servers. There were some cases of people using hardware wallets with already generated seed included in the box by malicious sellers. I have no idea how the device would behave in case of hardware backdoor.