Scratch the surface though and things are not so robust.
Firstly I did write “reverse engineered” and I get the impression that that is not what the UK authorities are doing. I get the impression that they are examining the source code and then attempting to verify that the deployed binary came from that source code.
The report appears to concede that they have not so far succeeded in doing that! (largely due to flaky control in the build environment)
Access to the source code is likely to be far more efficient in terms of time and effort, but provides no assurance unless they can reliably produce the binary (and even then only if they trust or have in turn verified the toolchain needed to produce the binary from the source).
Secondly, it seems likely that the third party real-time operating system is outside the scope of the above process, which means there may be a loophole large enough to drive a bus through. (The report notes a future plan to migrate to a Linux kernel, which would mitigate that to a large extent but that would have to actually happen.)
Thirdly, with such a buggy software process, there is a risk that even without Chinese state interference there could still be Chinese state exploitation of the resulting bugs, the assumption being that if the UK government can demand that Huawei allow UK inspection of its source code (as appears to have happened) then the Chinese government can demand the same.
An ideal report would conclude “we have examined the product extensively and not found any vulnerabilities”.
Instead it basically concludes “we found heaps of vulnerabilities but we think they are due to incompetence rather than malice”.