alt Hacker NewsThe XZ utils backdoor made it into Debian repositories undetected, although it was caught before it was in a stable version.
Debian repositories are quite secure, but also pretty limited in scope and extremely slow to update. In practice, basically everyone (I'm sure there are a few counterexamples) using a Linux distro uses it as a base and runs extra software from less tightly controlled sources: Docker hub, PyPI, npm, crates, Flathub etc. It's far easier for attackers to target those, but their openness also means there's a lot of useful stuff there that's not in Debian.
Holding up Debian as a model for security is one step up from the old joke about securing your computer by turning it off and unplugging it. It's true, but it's not really interesting.
XZ attack is an extremely rare event coming likely from a state actor, which actually proves that GNU/Linux is a very important target. It was also caught not least thanks to the open nature of the repository. Also, AFAIK it wasn't even a change in the repo itself.
In short, using FLOSS is the way to ensure security. Whenever you touch proprietary staff, be careful and use compartmentalization.