If we can assume that Coldcard's code is secure enough and has been put under the microscope back and forth to look for vulnerabilities.
Of course - it's not a safe bet or anything, just saying to take into consideration: 'old code' has always been seen
more than 'new code' inherently.
Passport will surely add plenty of their own code and improvements in areas they didn't like with the Coldcard. Those new snippets will also need to be checked thoroughly.
In my experience, to build from an existing codebase, you have to read a lot of it and build an understanding gradually; only when you reach the point where you fully understand it, you can really start meaningfully modifying it. This thorough analysis of the entire code often reveals bugs and programming errors, further enforcing my point to get more people developing and auditing a similar codebase rather than each making their own.
You inherit the good, but you also inherit anything bad, assuming there is something bad.
Unless you spot and fix it, but yes, true. The question is though if you wouldn't have made the similar (or another - maybe many other?) programming mistakes when doing it all from scratch.
If a serious vulnerability gets found in Coldcard, and Passport uses the exact same code, users of both wallets would have problems until a fix is found.
That's right: if you have one piece of software that everybody is running, you can hit many more users when you find a bug in it.
I believe this is the main counter-argument against my idea of a HW wallet firmware, but on the other hand, we're all running the exact same Bitcoin Core v22.0.... Just saying. Similarly, the Linux kernels of our nodes (and 99% of the internet infrastructure) are most probably all virtually identical. I'm not completely sure if that's good or bad honestly.
Recent example of security hole in widely used software: Log4j..
