the goals of security and verifiability are inherently conflicting as to verify you need a chip that anyone can check the content of, but for security you want a chip that no one can see the content of

the MCU may have open source code but the moment it is compromised it could log your PIN on next attempt