You’re right that the “back end” of Linux systems tend to be quite hardened.
It’s the desktop environments that are a concern when it comes to security hardening, IMO. Almost all servers have no DE installed so it’s not something enterprise has cared about.
How much effort has been put into security on DEs? I honestly have no idea, but so far there hasn’t been an enormous pressure to security harden them.
Shit, look at:
X11. It’s insecure by design, yet most distros still ship with it (understandably, since Wayland isn’t 100% yet).
packaged software runs as root during the whole installation period - this means that anything slipped into the install script will have full root privileges to do anything to your system. Flatpak does fix this, but normally-packaged software is still abundant.
any non-root program can change aliases in your bashrc or bash_aliases file. I.e. they can change “apt install” to some other nefarious command, or to point to a dodgy software repository, so that next time the user types “sudo apt install [XYZ]”, it downloads malware or does other nasty things.
I’m absolutely clueless about this stuff and I can come up with those potential attack vectors in seconds. Imagine what a proficient hacker could do, or a hostile nation-state.
I definitely think improvements will have to be made in terms of security, and we’re no doubt going to hear more about malware in the coming years. But it’s not an insurmountable problem, IMO. Distros and DEs will just take time to adapt.