That's sort of a double standard, though. No, Debian et. al. aren't perfect and there are ways that serious bugs can and do make it through to production systems. But very, very few of them are malicious exploits. The xz-utils mess last year was a very notable, deliberate attack that took years of planning to get an almost undetectable exploit into a core Linux library.
And. It. Failed. Debian caught it.
So no. Not perfect. But pretty good, and I trust them and their track record. That's a very different environment than "Here guys, we'll send your code all over the world. But no Russian emails please. Thx."
I don’t think we actually have negative evidence of this: we don’t in fact know that the xz attack took years to plan, or that its failure signals the failure of other attempts. I think it would be wrong for us to assume this.
(Plus, my recollection is that Debian didn’t catch it. It was caught by a downstream user.)
And. It. Failed. Debian caught it.
So no. Not perfect. But pretty good, and I trust them and their track record. That's a very different environment than "Here guys, we'll send your code all over the world. But no Russian emails please. Thx."