Ledger is partially closed source, so there's always been a black box surrounding their "secure element". Accordingly security researchers were somewhat limited in their research.

Trezor on the other hand is completely open source, from top to bottom, from hardware to software. Accordingly security researches have been able to take it apart completely. Theoretically you can even build one yourself! And while they did find vulnerabilities that enabled the extraction of private keys with physical access, none of these where as simple as just adding custom firmware to the device. Which is something that for Trezor hardware would be fairly trivial, given the open nature of the device. Heck, there's even a guide by Trezor themselves on how to flash your device with custom firmware within their GUI: https://trezor.io/learn/a/downgrade-firmware-trezor-model-one

If extracting the seed from a Trezor were as simple as a malicious firmware update I'm fairly certain we'd know at that point. Otherwise researchers wouldn't have to rely on side channel attacks [1] or forcing RAM dumps by physically glitching the hardware [2][3]. [2] also briefly touches on why the seed itself can't be accessed by custom firmware at around the 38:45 mark.
(afaik [2] is still a threat, but [1] has been fixed before public disclosure and [3] seems to have been mitigated by increasing PIN length [4])

[1] https://jochen-hoenicke.de/crypto/trezor-power-analysis/
[2] https://av.tib.eu/media/39203
[3] https://cointelegraph.com/news/trezor-wallets-can-be-hacked-kraken-reveals
[4] https://www.reddit.com/r/Bitcoin/comments/sdx4r6/psa_trezor_doesnt_have_the_oftmentioned_seed/

TL;DR: Trezor we can verify, Ledger we have to trust. And what a misplacement of trust that has been.