It's done on a laptop with a removed hard drive, read only USB running the software, and disconnected from the internet.

Fully airgapped.

Arguably more secure than a hardware device from a manufacturer.

You are correct in that doing this without proper precaution could be disastrous.

It's part of the service we provide.