If it's correct, it's highly likely that most cloud vendors are in the same boat. Imagine Google or AWS, who each have multiple millions of servers: even if they build their own motherboards, there are so many 3rd party components there's no way to vet all the boards. Their IDS will catch some, but not all.
One might imagine a cloud vendor is constantly the target from multiple state actors, foreign and domestic, all vying for universal access.
X-ray won't catch substitute chips: they will have the same package and same markings but a few extra functions on their silicon. Good luck eyeballing that one. I think you're right though: they should examine a sample of the boards at lest.
In addition--layering defense--one would imagine simply putting a motherboard on a quarantine LAN, simulating their production network, and watching its network traffic for phoning home.
The real implants might be waiting for a specific situation, like a date or a string on the bus, so you never really know if you got them all.
One might imagine a cloud vendor is constantly the target from multiple state actors, foreign and domestic, all vying for universal access.