Or there are licensing issues - in some cases there might be non-transferable licenses for bits of things in the ROM that are held by NXP but which are problematic to show to someone not employed by NXP.

Sometimes it also happens that company finds out they broke a license and there's no way to fix it silently...

More likely just bureaucracy. All the agreements I've been involved with negotiating were worded to cover disclosure to contractors, third party security review, etc, provided such parties were covered transitively by the same disclosure restrictions as the licensee.