Yeah, that's right - you could prove the absence of malicious microcode, but not the absence of hardware trojans, implants, etc. There are also the embedded microcontrollers to deal with (e.g. the Management Engine, Innovation Engine, and Power Management Controller on Intel).