Busybox represents an unknown...just because the cases so far have gone a certain way doesn't mean they always will. It's easy to imagine doing some math on a napkin and coming to Tim's position. It's free software, and he's equally free to not use it.
But, I'd certainly be more comfortable with a project to ensure compliance in the providers. It's easy to assume the suppliers would be willing to prove compliance if they didn't get paid until it was proven.
I admit this is a simple view of a very complex supply chain (sorry Tim). The suppliers still must prove the replacement is used instead of busybox. Why not just check the sources provided instead?
This is a fixed R&D cost (not a per-unit cost), and big electronics companies force suppliers to conform to all kinds of rules and specifications. They also do a range of tests on the fully assembled devices.
It's fair for us to expect compliance to be one of those tests.