There are those developers which insert malware through their built-in update components so Play Store might not be able to detect until the next scan.
This is true, but the issue here is that many people trust Google unequivocally, and assume if it is on the Play Store or available as a Chrome extension then it has somehow been vetted and approved, when in reality it has been no such thing, and could contain any amount of malware.
-snip-
None of these things are a flaw in hardware wallets. If you type your seed in to a random website, then you are going to lose your coins regardless of what wallet you are using. Good hardware wallets such as Ledger devices have some of the highest resistance to physical attacks of any wallet. Hardware wallets are also great to use with a couple of different passphrases, which provides the best possible protection against a $5 wrench attack.