One thing to consider is that they can't "hack" you, if they don't get access to your private keys whether or not you use their software. There are plenty of tools that you can use to generate your private keys offline, and if you take special care that they're never exposed online, you're pretty much hack-free.
One easy example I can think of is an air-gapped PC with an Electrum wallet. You generate your keys offline, and make sure the PC doesn't ever go online again. Setting one up correctly means you're virtually hack-proof, except in cases where hackers have had physical contact with your device.
There are also open source projects, but other than that, yeah, you will have to trust developers.
Well, that's 99% true, but you're forgetting a botched RNG... If i would write a wallet that picks a random integer between 1 and 10000, then calculates the sha256() hash of this integer and uses this hash as a private key, it does not matter if my wallet's users use my wallet only in an airgapped scenario... The private keys they generate could only be one of the 10000 possibility's.
Even without using a GPU, it would only take me less than an hour to bruteforce all possible keys, calculate the public key, generate the address and check for unspent outputs funding this address...
Now, this is not the case for electrum, but it *could* be the case for other, closed source, wallets (you never know)...