@nieldk already explained it well. In most cases the possibility of reproducible build from sources already deters the will to put in backdoors.

Also one does not need to look at every line of the 5 million LOC, there are ways to speed up the process pretty much, for example with c sources you can grep thru included headers to find the modules most likely to do some funny business and then check those.

Also there does exist way to have reprducible RPM builds