Even if your computer is airgapped, and has never touched the internet since you installed the OS, you still can get a virus via USB, CD, etc, so dealing only with open source software will always reduce these possible exploits by a big %.
While it is true that an airgapped computer can get infected by USB/CD/.. and that open source will definitely reduce this risk, a compromised offline computer does NOT directly mean a loss of funds.
This all depends on the malware and the usage of the offline PC.
A few examples:
1) If it is a simple malware which tries to dump private keys and uploads them onto a server, it won't be able to steal anything from the offline setup since a connection will never be established.
2) If it is an advanced malware which dumps private keys, waits for the next storage device to duplicate itself, to upload the private keys once it reaches an online PC it also can be warded off by simply never use a storage device which has been plugged in into the airgapped pc (e.g. do transfer unsigned TX with a CD which you afterwards destroy, and transfer the signed TX to an online PC via QR codes).
The real danger comes from an advanced malware (2) and a 'bad' user habit (e.g. using same USB to transfer TX's back and forth).
You can never negate every attack vector. The goal should be to make the possibility of getting the private keys compromised as low as possible while still keeping the usability in mind.