[chlorion]

There are code execution vulnerabilities in common software, including the kernel and your favorite browser, probably at least once a month, and likely more.

You can go checkout a CVE listing website if you don't believe it.

The thing you may be not thinking of, is that the software itself doesn't have to be intentionally designed to be malicious for it to do harm. Lots of software is written in memory unsafe languages and is full of nasty subtle bugs that can be exploited.

There are also supply chain issues, your favorite open source project's maintainer might have their github credentials phished, and code to do something nasty sneaked into an otherwise normal seeming update. This has happened and is not just a theoretical scenario!