The US Government has publicly admitted doing just that at least once, to printers, but you're getting into the "I can neither confirm nor deny" zone. You could consider the fake broken-distillation-plant message from Midway an early example of planting a bug in the enemy's systems.
I remove all pre-installed software from new flash drives and check them with several up-to-date antivirus programs. Watch out for what executes when you play a DVD movie on your computer. PCFriendly is the known agent but there could easily be others using it's techniques. Process Explorer and Autoruns from Sysinternals are good monitoring tool for this, also HiJackThis and SpyBot to catch Registry changes. The main reason I back up my C: drive periodically (like yesterday) with Ghost or Acronis is so I can wipe and restore it if it gets infected. The faster PC with all the good stuff stays off line.
I've never worked on consumer-grade entertainment products, only avionics, industrial & medical equipment and the Segway, so I don't really know low-cost mass production practice.
In high-quality equipment, access to the firmware is blocked by a fuse link or password but the board or system test stations typically can unlock it and confirm the code, via Pogo pins on the JTAG port for instance. If there is a potential vulnerability it's the repair operation which has to be able to get into everything and load in emergency updates using their own custom fixture that Manufacturing may not understand or fully control. If I were an operative wanting to subvert a product I'd look for a company that outsources its field service repairs.
But yes, it's quite possible to add a backdoor. Unintentional defects certainly exist, I've found them in ICs that had been in production for years.