I think I may be missing something in the discussion here.

You can never test a program as a black box to see if it is correct except by exhaustively testing all possible inputs, and even then only if the program has no internal state.  If you want to trust a bitcoin device that has your private keys you won't be able to test all possible inputs. So you will be forced to rely on a trusted computing base. The TCB doesn't have to include all the bitcoin software, but it does need to include all the hardware and the bootloader, plus there has to be a trusted method of going from vetted source code to load images that doesn't get caught by the Ken Thompson hack.

Using multiple signatures is not going to get around problems caused by untrustworthy software, especially if the software used for multiple signatures is the same and hence contains the same trap doors.  If there are diverse implementations this may help, but the high availability software people have found problems with this approach as regards software bugs.  Multiple signatures deal with issues of untrusted human agents, failing hardware and physical security.  However, they don't eliminate the need for trusted computing platforms and trusted software.  Furthermore, they are complex and hence more likely to provoke "cockpit error" by their users.

IMO the greatest problem with widespread adoption of bitcoin is security in the hands of ordinary users.  This issue dwarfs the scaling issue.