Were the companies importing said products LIABLE for said risks, my bet is that they would not be doing this.
Normally all security critical systems are kept off the public internet, so there would be no way for a spyware worm to communicate with a back door. However there are tricks like putting the worm on a thumb drive, labeling it porn, and “losing” it in the parking lot of a secure facility.