I disagree, because “shipped” is more abstract and covers code delivered through update mechanisms — if your definition of backdoor is limited to “time of construction”, it would sound like you would also disqualify a backdoor delivered as an OTA update. Also, attackers commonly introduce backdoors into systems they have compromised, which are entirely unrelated to the initial construction process or shipping of the code on that system: these are changes made to an existing system to subvert the normal means of authentication/crypto/etc. While I agree that phones should not accept updates without user permission, the permission to install is not an element in the definition: a user could consent to installing an update which announced it contained a backdoor, their permission would not change that it contained a backdoor.