As a pentester at a security company doing assessments for customers, I can say that this is definitely false.
We value our independence highly. It is what ultimately brings in business. It would be very bad business if one our customers gets hacked, when it was an easy vulnerability for us to find.
This is the same for the NCC group here. If in a few weeks the WhatsApp e2e encryption on backups was cracked, they would look like fools. And that is not good for business.
It isn't merely being hacked.. if for some reason data gets exposed, it is easy to redefine the exposure point as a third party issue. For example, lets say an app allows you to install a plugin. However, the plugin API lets a third party run anything they want. I've seen firsthand how auditors will determine that it isn't the fault of the company they are auditing, irregardless that that the company provides a plugin API that allows for easy exploits because their software isn't technically the one exploiting the user.
We value our independence highly. It is what ultimately brings in business. It would be very bad business if one our customers gets hacked, when it was an easy vulnerability for us to find.
This is the same for the NCC group here. If in a few weeks the WhatsApp e2e encryption on backups was cracked, they would look like fools. And that is not good for business.