With a hardware wallet, transactions are signed directly within a device with very limited attack surface.
In contrast, a software wallet involves loading the private key into the device's memory (PC, smartphone, etc.), thereby exposing it to potential risks.
Since these devices are connected to the internet and host various programs, there is a risk that a malicious actor could exploit vulnerabilities in the software and extract the keys.
As any security professional will attest, no system is entirely secure, including hardware wallets.
However, the likelihood of key extraction is significantly reduced compared to hot wallets.
That being said, there remains an issue that even hardcore Bitcoin enthusiasts often overlook: securing the seed phrase.
In security terms, this is known as the secret zero problem, a chicken-egg paradox which lacks a definitive solution.
Even if you have a hardware wallet, securing your seed is crucial.
Writing it in plain text on paper or metal is far from a secure method.
Personally, I always aim to create multiple encrypted digital copies using strong symmetric algorithms (e.g., AES-256) and a lengthy passphrase that is easy for me to remember.
Of course, the encryption process should take place within a machine that is not connected to the internet and preferably newly created (e.g., a Linux virtual machine).
Since these devices are connected to the internet and host various programs, there is a risk that a malicious actor could exploit vulnerabilities in the software and extract the keys.
However, the likelihood of key extraction is significantly reduced compared to hot wallets.