This is testable, and also very difficult to falsify without testing it. I'd say there is more value in doing or sponsoring the research to investigate it and I wouldn't cast aspersions on the vendors. They are better than passwords for the majority of consumer and corporate use cases.
The most basic attack and test is to verify and/or reduce the entropy of secret symmetrical (AES) keys in the SE after personalization.
The challenge with hardware security modules is verifying outputs from the same keys but on different devices, because the key is derived/instantiated in the secure tamper proof environment. The whole point is the key doesn't exist anywhere else.
If your threat model includes the intelligence agencies of super powers, your main problem is more diplomatic than technical.
The most basic attack and test is to verify and/or reduce the entropy of secret symmetrical (AES) keys in the SE after personalization.
The challenge with hardware security modules is verifying outputs from the same keys but on different devices, because the key is derived/instantiated in the secure tamper proof environment. The whole point is the key doesn't exist anywhere else.
If your threat model includes the intelligence agencies of super powers, your main problem is more diplomatic than technical.