But why are they inspecting the source code?
I don't think it's feasible to guarantee that the binaries running on the network gear are generated from the inspected source code.
Unless you're planning to desolder all the flash chips and test them individually, who's to say what's actually running?
The OS can simply report whatever the attackers want it to, including lying about what binaries are running.