Re: design
The risks to be assessed are:
1 - possibility of firmware having a bug that allows unauthorised monitoring of communications (i.e. unintentional)
2 - possibility of firmware having a backdoor that allows unauthorised monitoring of communications (i.e. unintentional)
3- possibility of suppliers staff accessing unauthorised information (either intentionally or unintentionally)
4 - system availability requiring supplier support
The risk of 1 will be similar between suppliers. With "untrusted suppliers", the risk of 2/3 is marginally higher but can be mitigated by designs creating more separation of responsibilities and supervision/monitoring by the telco. I would argue that the differences between a "trusted" and "untrusted" supplier should be close to zero.
For 4, I would point at O2's Ericsson certificate issues (https://www.theregister.co.uk/2018/12/06/ericsson_o2_telefonica_uk_outage/) as an example of the real risk with these systems. Operating these systems in the event of a country being sanctioned or worse would present significant risks.
Which then moves the conversation onto international relations, who you really trust and what are possible future issues and can you run the 5G network independently from the supplier.