Intense oversight and monitoring would prevent introduction of any hostile code.
I'm in non-defense (health care) IT, and even in my field the scrutiny is amazing.
I’ve been around micro processor development and design. Two or three parties working in concert could insert hard coded commands into the design.Not firmware but hardware.