That's where I come in and mention open source code & code 'reuse' though: By Foundation forking off tried & tested ColdCard code, essentially large part of the Passport's codebase is already at least reasonably trustable to be secure.
If we can assume that Coldcard's code is secure enough and has been put under the microscope back and forth to look for vulnerabilities. I am not saying it hasn't, nor am I an expert in that department, but Coldcard is not even nearly as popular as Ledger and Trezor. I am sure that more security experts have looked at Trezor and Ledger, be it for the right or wrong reasons. Passport will surely add plenty of their own code and improvements in areas they didn't like with the Coldcard. Those new snippets will also need to be checked thoroughly.
This is a general concept: if there was more collaboration of HW wallet manufacturers and developers, it would be possible to create a 'master firmware' for hardware wallets that everyone, also new companies, could use & hit the ground running. Beneficial for (new) businesses and users.
It's still business. And business is competition. Everyone wants to be on top and get the biggest piece of the pie. When it comes to money, the big fish will always go for the small fish. Reusing open-source code is a double-edged sword. You inherit the good, but you also inherit anything bad, assuming there is something bad. If a serious vulnerability gets found in Coldcard, and Passport uses the exact same code, users of both wallets would have problems until a fix is found.