The big difference here is that states can simply buy access to, e.g., a Cisco Nexus and attack it from inside and out until they find a vulnerability in NX-OS, let's say, a malformed CLI-via-HTTP call.

Whereas, what software does a Google switch even run? What's the architecture, the APIs? You basically need someone inside Google, or for one of these things to fall off a truck. Way more involved and expensive than the 10k you might spend on a Nexus to throw it your lab and set your hackers on it.

Actually, Google has published papers and have presented talks (many of which are available on Youtube) on the type of gear they have developed. I don't know what their latest versions are, but recently they were using OpenFlow style infrastructure to provided fine-grained control (security, balancing, analysis) over flows through out their network. OpenFlow style constructs also provide a micro-segmentation style control (ie distributed firewall) over ingress/egress of traffic at the individual container/vm port level.

An organization whose job it is to infiltrate hostile governments and intelligence agencies should have no problem infiltrating Google.

And you think Cisco devices are better equipped against state-sponsored espionage?

I think they're worse off since they're manufactured abroad to known specifications.