If it's for security, it would be theater. How hard would it be for someone to open the package, put their spyware on it and repackage the drive? Even easier are OEM drives that come in unsealed boxes.
I'm guessing it's more to make sure the drive is in working order and clean of any data. This would limit liability for accidentally deleted data and broken drives. If the drive doesn't work, it's still under warranty. It also saves time on trying to make an old drive work.
It also stops Joe Shmoe from coming in with the same drive he's been using for a few years already but has no clue is filled with all sorts of malware and viruses.
Seems like they could close that gap easily enough by buying the drive themselves, and charging you the cost. Perhaps there are requirements of the law that prohibit this but allow restrictions on user-provided hardware.
A "new" drive in a box certainly wouldn't prevent your scenario from happening (somebody faking a new drive), but is that really the person's concern?
I'm thinking the biggest concern would be plugging in someone's drive who didn't know they had malware. In that case, the requirement works pretty well.
I'm guessing it's more to make sure the drive is in working order and clean of any data. This would limit liability for accidentally deleted data and broken drives. If the drive doesn't work, it's still under warranty. It also saves time on trying to make an old drive work.
A new drive equals zero hassle for them.