If there's potentially malware that embeds itself hard enough to resist a disk wipe, or even replacement, you have to worry about the prior owner's security, incompetence, potential malice, etc. And that's even if you aren't cool enough to have the NSA 'implant' teams intercepting your mail.
Given the size of the secondary market for things with firmware in them(ie. basically all computer parts more sophisticated than cables; and even some of the cables these days), I'm a bit surprised that this hasn't already become an epic clusterfuck. Especially with scary little things like LOM modules, which are full computers, most commonly with independent NICs, that you graft right into the brainstem of your servers. Flooding the market with poisoned LOM cards/modules seems like the sort of thing that might even be worth it for a commercially minded criminal, much less a nation state looking for juicy secrets.