“Quite a stat.”
Actually it is. So far almost all Linux vulnerabilities required physical access to the machine, user passkey, and SU root access. Intentional or accidental. :)
My favorite flavor was Puppy Linux, run as root! A defense of it: https://unix.stackexchange.com/questions/46287/when-does-the-puppy-linux-security-model-make-sense
My concern was that of using patented multimedia codecs, which I worked to avoid.