Its actually not that straight forward of an attack. It can be in a closed-source but even in open source it can be hiding in plain sight. Its more like the random number generator is limited to a range of numbers either by accident (bug) or design (malicious intent) and then that range can be brute-forced comparatively easily to check for balance and steal funds from.

Also, when you buy a device, you have to "trust" it, which is why my approach is "build your own". Everything is open-source and you can review or trust others have reviewed and use the source to put together your hardware wallet (trustless), rather than relying on pre-compiled binaries (having to trust) or open yourself to supply chain attack when ordering one. You simply order Raspberry Pi, some parts, write files to SD card and done! Trustless system!