Your mission, should you choose to accept it...
... is to verify:
* the processor and system architectures for side-channel attacks, such as power or speculative execution;
* the microcode on the CPUs;
* the code on the management processor on each CPU die;
* the firmware on the network cards, disk controllers, and everything else that can DMA or can affect data ($deity help you with Thunderbolt);
* the microcode and firmware running on the flea on each server;
* the BIOS;
* the entire code of the kernel you're running and any loadable modules;
* the entirety of the user space of the operating system(s) you're running;
... and *then* you can get onto your own application(s) and the third-party libraries on which they depend.
No, you can't rely on these being checked against some suitably complex hash (remember that MD5 and SHA-1 are both considered compromised, so it'll have to be better than those) - how did you obtain that hash, and how do you know your channel to obtaining that hash hasn't been compromised?
No, you *really* can't rely on downloading the application and then comparing against the hash that you... wait for it... *downloaded from the same site*. Pure security theatre.
No, you can't rely on the browser or program you are using to download code or hash being uncompromised. Or, for that matter, the code you are using to calculate the hash.
No, you can't rely on your firewall. How do you intend to verify its firmware and its application definitions?
No, you can't rely on your network switches for data transfer. How do you intend to verify the switch's data and control planes, and its management software?
No, you can't rely on printouts. How do you intend to verify the application producing the printed version, the printer driver, the printer firmware?
No, you can't rely on your verification tools. How do you intend to verify them?
Second point: "Doing it right" would cost more than the entire revenue of most businesses - which means 100% chance of failure of the business. That's a higher chance of failure than "ignore it and hope it never happens to us". So, quite correctly, businesses try to hit the sweet spot of minimum overall chance of failure of the business - which means the standard risk management approach of choosing which ones you even bother trying to mitigate.
Final point: Overall - and I expect to be roundly downvoted for this - if the risk management is done without rose-tinted glasses, *this laziness is good for humanity*. There's no point spending more effort on verification than it takes to recover from the attacks that succeeded due to missing or failed verifications.