Trust but verify
A couple of theories that spring to mind:
(1) The GCSB is doing its job. They have access to classified threat information that can't be discussed in public, but it leads them to the unavoidable conclusion that it's less damaging to NZ's national interests to interfere with healthy commercial competition than to let Huawei kit in.
(2) The GCSB isn't doing its job. For murky reasons that involve keeping our Five Eyes partners happy they're screwing Spark and the country's future infrastructure over, under a smokescreen of "trust us, we know what's best for you." Or maybe they just like Vodafone.
(Or, more depressingly, (1.5) The GCSB is doing its job. They've made the hard-nosed decision that the Huawei "threat" is Trump Administration bluster, but Five Eyes is valuable enough that it's better for the country overall if we play along.)
The problem is that none of these theories are refuted by the known facts. As an NZ citizen I'd very much like to believe (1), and as a grown-up I grudgingly accept that (1.5) isn't outside the bounds of realpolitik. However, with the massive loss of public trust that the intelligence community brought upon itself with the Snowden disclosures you don't need a tinfoil hat to accept the possibility of (2). I do have some sympathy for the GCSB here, because even if they could declassify all the evidence behind their decision they'd still be accused of selective disclosure and nothing would change.
Ultimately though, it's irrelevant. Whether thanks to conspiracy or cock-up (here's looking at you, Cisco), we have to assume that any technology we import can't be trusted to behave in our national interest. I just hope that the people responsible for risk mitigation view all vendors as sceptically as they do Huawei.