it's a big IF since usb always has firmware.
trezor is a great attempt at minimizing the attack surface by designing duty-built hardware. it's a shame that they chose usb instead of serial, imo.
USB doesn't inherently need firmware, any more than a serial port does.
It's just easier to build programmable devices because you can fix bugs in software instead of hardware. The cost is that a general purpose computer is capable of any computation, and that's a giant attack surface.
I'd feel better about the hardware wallet projects if I saw the teams involved take this issue very seriously and go back to the roots of computing - custom-built electronic circuits that preform exactly one task, not general purpose programmable computers which can be repurposed by an attacker.