A hardware wallet is good as much as the user who uses it is versed in what it does especially in terms of receiving/sending transaction. If, for example, you plug a hardware wallet to your computer, start its user interface and decide to send a certain amount of BTC to an address without checking it on the UI and HW device screen, and you have clipboard malware on your computer - some stranger will be very pleasantly surprised with your donation.

Everything else comes down to phishing and human ignorance when it comes to some kind of remote hacking.