It's why using a USB stick to ferry data/transactions between your hot and cold machines is really a breach of the air-gap. Any transfer of data is. (And presumably if your hot machine is infected, any virus can just pass data back via the USB stick, it doesn't need any fancy radio transmissions.)

All input/output needs to be considered a potential conduit for viruses...

The ideal cold wallet wouldn't rely on any data from the outside world. I'm not sure that's possible though. Maybe by splitting the balance into many small amounts on separate private keys and just removing a single private key for a small amount at a time. So the data transfer is only ever *from* the cold machine to the hot machine, via paper wallet or photographing a QR code or something.