Of course they would. Modern Linux, FreeBSD and macOS are totally fine connected to the internet directly with ssh enabled and no firewall. Sure; if you expose samba with write access and no password, you’re in for a world of hurt. But so long as your machine is kept up to date with security patches and has some form of authentication on all remote services, it should (generally) survive just fine on the open internet.
Of course defence in depth is still a good idea. But script kiddies aren’t using 0day attacks to portscan the open internet. But security vulnerabilities in network services get fixed.
If I read that right, I would like two things clarified:
1: what "default installation" means. Do you have any open network ports?
2: What does "get a malware" mean? Do you mean it was possible to get malware because a user downloaded som random binary off of the internet? Or do you mean that entirely passively, some malware remotely exploited some network service?
I would like to contribute my experience: I have been responsive for running many Debian servers on the internet for that last 25 years. During those years I have not once encountered one of my systems being compromised. Of course, you might say that I have just been unknowingly compromised. While this is indeed possible, it is possible for all systems to be compromised without owners knowing it.
I didn't test this with a virus check, but I have a bitcoin wallet with 0.1 BTC and without password on my HDD. Still there.