You realize that no one would give them money for the replacement sims? they would be required to replace them for free like in any recall
Not just that - it might be worth it to the carriers to get the SIMs from anybody else.
Nobody buys their SSL certs from Diginotar anymore - there is a smoking crater on the crypto landscape where that incompetent business used to be.
Gemalto is left with having to prove the negative. We only need believe that their security and forensics people are more competent than the NSA/GCHQ attacker and cover-up people are, and continue to trust them on that basis. Gemalto cannot take a different position than they are now, no matter how confident they are/aren't.
Why aren't phones generating their own keys when they're activated at the store? Burn a fusible link if necessary. This would be more secure _and_ cheaper for the carriers. Oh, because NSA has plants on the GSM committees?