Also, the entirety of an operating system including all programs running on it can hardly be called “simple”.
In general, repositories like the default pacman package repositories or other repositories of other distros or the AUR as a user repository should already offer quite a bit of security because they are used by lots of other people, the packages are flagged, voted on, commented on, etc. There is little room for malicious uploads. Like in any repository (or “store” if you will).
Windows users are comparatively more at risk (maybe without realizing it) because they’re used to going to lots of different websites from lots of different developers or companies to download their packages from, and there’s always a chance that one of those sites might offer malicious downloads. It’s also quite “normal” that big download sites offer customized installers to include various spyware. The user has to be aware of that at all times.
Linux users have the luxury of getting their stuff usually from just in 1 or very few places and there’s less room for malicious packages. I think overall the risk is quite low.
But, as always: security is a process. Not a button, not a software, not a one-time-thing that you forget at some point. It’s a constant process and the user has to incorporate that into every decision he makes. That means: better to be safe than sorry. If you know bash scripts, it takes just a few seconds to go over a PKGBUILD file. And then you can sleep better at night.