That still leaves several vectors since that phone might be reloaded with something compromised. That phone would have the same serial number and MAC address.

That would let a someone turn it into a Trojan horse if they can replicate enough of the experience of the device.

Totally not an acceptable solution. It needs to be more obvious who/how the phone was compromised.