Although hardware wallet undoubtedly has distinct advantages, it is not bulletproof or maybe it's better to say it is not resistant to human stupidity.
There is no security system in the world which is entirely resistant to human stupidity, and unfortunately, there is plenty of human stupidity to go around. There was a story not long ago about Coinbase itself (not Coinbase users, but the actual exchange) being hacked via phishing emails sent to their employees. Of all the places to target, you would have thought that Coinbase employees were less stupid about this kind of stuff than the average person, and Coinbase would have some proper security in place to prevent it.
It says so on the recovery sheets that are included in the package of your hardware device.
It's definitely true that many users don't read the instructions before using their device, but I've always thought the "Store it securely" and "Don't share it" warnings are not clear enough. I've always said that we should be telling new users that as soon as you have to enter your mnemonic phrase
anywhere, you should consider it compromised and sweep the wallets immediately. I'd much rather they err on the side of caution than take a risk.