As of March 2019 [1] this vetting was not going very well in the UK. Only one piece of Huawei firmware was even able to achieve "binary equivalence" where the agency could determine that verified source was actually the source for specific firmware running on the device.
Reproducible builds are incredibly hard to achieve and require a significant amount of resources. Debian has been on this path for ages in a fully open ecosystem and still hasn't fully achieved it. Nobody could doubt their resolve.
All it takes is one tiny bit of proprietary software in the build chain that behaves non-deterministically (and they probably have several) and that's it. No equivalence until you rip it out and replace it. That's an expensive ask.
I'd be surprised if any vendors have achieved this. Hell, Cisco source code is probably riddled with spyware that they could spot at a glance, but "American IP considerations" 100% trump UK national security so I doubt they'd even get to see the source code.
I would love it if all of the vendors were made to have source code reviews and reproducible builds, but being realistic it's a standard that's only be demanded of Huawei. Even if they passed this high bar they'd only find some other excuse to rip them out.
Even so, unless you're talking about firmware for complex devices attached to the internet (what BT calls "the core", e.g. routers that they ripped out without much protest) you can still develop reasonable confidence that the firmware isn't exfiltrating sensitive data.
If it is simple and it is tightly scoped (e.g. firmware for an aerial) the spyware would have to be very clever and probably pretty obvious, assuming it was even possible. These kinds of devices are where the costs to rip out and replace every bit of hardware also became eye watering.
[1] https://www.washingtonpost.com/context/huawei-cybersecurity-...