Even if the firmware on both firmwares are completely virgin, this doesn't say much about the safety of the device. I agree that security is not all or nothing, protection in layers is always the goal of secure products. I do however caution that it can cause complacency if things are presented as bulletproof, you need to be up front about what tools such as attestation afford you. In this case it can not tell you that the device is safe or not tamptered with.