Exactly. This is a company initiative to increase company profits. It's smart business, as long as it's not illegal or the fine is insufficiently high.
Is it smart business though? Once disclosed it provides future purchasers with a strong reason to avoid your products. Who wants to spend millions on trainsets that could become unserviceable in the event that the seller goes out of business or makes some mistake in authorizing service centres or gets into a dispute with us over another matter?
It can be smart business if the probability of it being disclosed is low enough. Using fake numbers as an example, if you can make an extra $1 million on repairs and will suffer $100 million in fines / lost business if it becomes known, as long as the probability of it becoming known is less than 1%, it's a net positive expected value.
I would guess this is also why the code was found: it's parallel construction.
Somebody was told to take a closer look.
Otherwise it would be very weird to have 3rd party developers disassembling firmware code. I've never heard of that happening because a train didn't want to start.
When the trains your company serviced start experiencing failures, you look at your workers. When the trains your company was supposed to service, but didn't manage to touch yet start experiencing failures, you might begin wondering about alternative explanations.
I imagine someone in the company was someone who knew (or was a parent of someone who knew) someone in Warsaw Hackerspace, and introductions were made.
