This! If security is your prime directive in your line of work(government, highly sensitive data, etc), then as long as your device has been outside your physical possession and in the hands of an untrusted third party, then it's automatically considered compromised and gets wiped or discarded by your IT department.

Because no amount of marketing security fluff from Microsoft, Apple, Google can stand against targeted attacks of state actors or knowledgeable motivated well funded actors with freshly acquired zero days.

The security they provide is only good enough against the average thief off the street, which I guess covers 98% of Average Joe's threats.

Even CC security certifications never judge a device whether it's hackable or not, but only on how long it takes for it to be hacked by an accredited lab, because nothing with outside physical access is ever unbackable. With enough time and six figure equipment off the publicly available commercial market, everything reveals its secrets eventually. And that's without zero days off the black market.