If I read that right, I would like two things clarified:
1: what "default installation" means. Do you have any open network ports?
2: What does "get a malware" mean? Do you mean it was possible to get malware because a user downloaded som random binary off of the internet? Or do you mean that entirely passively, some malware remotely exploited some network service?
I would like to contribute my experience: I have been responsive for running many Debian servers on the internet for that last 25 years. During those years I have not once encountered one of my systems being compromised. Of course, you might say that I have just been unknowingly compromised. While this is indeed possible, it is possible for all systems to be compromised without owners knowing it.