CIA, BND, and Crypto AG - and no-one really picked it up

That the article referenced secure vs insecure machines which had to be sold after manufacture rather than being simply reprogrammed still has me wondering if there was a hardware component, otherwise wouldn’t they have just reprogrammed the uncompromised units? But I suppose I can see how compromised algorithms in firmware or something could be as deep as it went.