Reading the code is not enough. An understanding of systems theory, the importance of how randomness is generated, or just follow the security guidance of those who do know those things.

Cold card is (mostly) good on those fronts out of the box (some wire cutting required) but you're missing the point.

If your fallacy were applied to other signing devices (with objectively shitty security) they would pass.