Malicious firmware and software will always be a threat for users that get tricked into installing them or have them installed on their devices before they even reach their hands. Trezor's approach in this matter is better. Your device comes with no firmware installed and you have to be the one that installs it. Ledgers arrive pre-installed. You should definitely reinstall the firmware before use. Verifying that you are using the official software is crucial and with Ledgers you should also verify the hardware in your device. Doing that will void the warranty, though.

What's also worrying is the malicious firmware passing Ledger's genuine check.