In this link, you will find the 35C3 presentation that discusses and demonstrates how popular hardware wallets can be hacked - https://wallet.fail/

However, do note that physical access to the hardware wallet is necessary for such an attack to even take place. Some hardware wallets ensure that a physical attack will erase all the data contained within it. Hardware wallet makers ensure that they provide secure solutions to every form of attack, such as authentication to assure you that the device you receive has not been compromised on the supply chain or hidden wallets to circumvent a $5 wrench attack. Air-gapped hardware wallets that use QR codes for transactions are also available. Hardware wallets like ColdCard, Ledger, Cobo Vault use a secure element that ensures that your private key never leaves your hardware wallet, even if your phone or software is compromised.

Hardware wallets are not 100% immune to hacks especially when it involves instances where someone else manages to get their hands on your seed phrase because you failed to store it somewhere safe.

There is actually a good reason why a hardware wallet should use a secure element. It ensures that your private key never leaves your hardware wallet, even if your phone or software is compromised. It's like your best final line of defense. Also...what if I forget or lose the passphrase?

Using an air-gapped computer or mobile phone as cold storage is a very unsafe practice. In his very exhaustive research, Dr. Mordechai Guri, clearly explains how your private keys can be extracted from them. The research paper can be found here: https://arxiv.org/pdf/1804.08714.pdf

Put briefly, when you’re signing and broadcasting your transaction, you would probably need to introduce removable media such as an SD card or USB cable to your air-gapped computer. A virus can then infiltrate your system via the USB, after which it can control and send instructions to a specific component in your computer to export your private keys. One of the surprising ways it can do that is by taking control of the computer’s fan to extract information from the sound it makes! The output from your computer, be it in the form of light, sound, or radio signal emissions can be picked up to extract your private keys. Android devices are not safe either. They rely on TrustZone, which is susceptible to side-channel attacks, and are hence unsafe to be used as cold storage. The iPhone uses a secure enclave, but it can only be used for Apple functions, requiring you to download a third-party app if use your mobile as a cold wallet.

Check out this interesting article that clearly explains how security can be compromised if you plan on using an air-gapped computer or mobile phone for your crypto: https://medium.com/cobo-vault/air-gapped-computers-and-phones-vs-hardware-wallets-whats-the-difference-f06790316f03