Right. Companies can definitely screw up w.r.t. cryptography. Sony PS3 is another famous example that comes to mind: https://arstechnica.com/gaming/2010/12/ps3-hacked-through-poor-implementation-of-cryptography/

Even when the cryptography is correct, the signature is only as good as the person/group guarding the private key. So signed firmware significantly mitigate risks, but don't completely eliminate all issues. (This is why if you're super paranoid, multi-vendor multisig is still the most rational solution).