They have -- this is basically what Stuxnet did. Some of the equation group leaks were even further advanced -- they installed themselves in the hard drive firmware, then hid the sectors where the exploit code was stored even from the BIOS.
So point is, it's been done. That's why the Equation Group malware operated undetected for almost a decade (and maybe longer than that). Never underestimate the power of a government -- they can afford to hire and train an army of Ken Thompsons for the price of an aircraft carrier.
Yeah; that's what you get with nation-state resources. How long does it really take to reverse-engineer a target like HDD firmware? Give a good hacker a month and they could probably figure it out for one HDD -- now realize the government can hire, train and supply hundreds of people like this.
Sure, it costs billions. But to a nation-state, billions are easy to find.
This is why modern security tools and practices are really only going to be capable of keeping out criminal organizations and mass-hacks. If a nation-state decides to target you, there is really no way you can defend against it. Often they are able to undermine the trust mechanisms in place through sheer resource asymmetry (they have the compute resources to brute-force SSL key collisions -- they did this with Stuxnet to fake a Microsoft signing cert to push the payload via a MITMed Windows Update).
There are even reports of three-letter-agencies intercepting routers during shipment, desolderig chips from the board, and replacing them with "bugged" chips containing back doors in hardware; then packaging it all up and getting it delivered on-time.
You just can't fight that kind of power; even as a company as large as Google or Apple. Nation states will always be able to probe and exploit the edge cases in your security model. In general, you can't make anything totally secure, but you can try to make it cost enough to break into that it will deter anyone who can't justify the cost.
Also to clarify, Stuxnet was the trojan (widely attributed to the CIA and Mossad) designed to introduce subtle errors into the uranium centrifuges that Iran was using to enrich uranium for nuclear weapons development.
It was really ingenious in a lot of ways: it targeted a specific industrial controller card. Even then, all it did was use the controller card to introduce a subtle voltage fluctuation in the power supply in 1/10 of the centrifuges that rapidly burned out the motors.
Basically, it introduced subtle errors into the system that the Iranians spent about a year trying to resolve. It also spread itself through some ingenious mechanisms to avoid air gaps -- in this case it is suspected they infiltrated a supplier for the centrifuges in China via spear phishing and got it on a USB drive from the supplier to cross the air gap (the way it embeds and hides itself in USB microcode is pretty cool).
The whole story reads like a spy novel; except it actually happened. It's one of my favorite examples of how a nation-state can use cyberterrorism to sabotage an enemy from the shadows -- and this action saved lives, because the alternative was an Israeli air strike on the compound. IMO this is a great example of ethical super-spy hacking.
So point is, it's been done. That's why the Equation Group malware operated undetected for almost a decade (and maybe longer than that). Never underestimate the power of a government -- they can afford to hire and train an army of Ken Thompsons for the price of an aircraft carrier.