That was just an insta-example but...
It was only an example from the top of my head, but I'll play along.
> Are you changing from email/mutt to xsession?
No
> Who would copy a script to my xsession?
To your xsession file. To which you have write access even in console mode. And any program you run has, too, presumably. All it takes is a vuln in a "3rd party" piece of soft allowing to add a line to a text file you have write access to. (of course most distros don't create a ~/.xsession file anymore by default, but I'm quite sure it would be used if it was to be created...).
> While I am at lunch and Mr./Miss. hacker boots my lappy into the run level 1 (ro single)?
No
> We are not talking about this possibility.
indeed
> As it follows from most of compromised systems (including Debian) ssh policy is the weakest link, (not the technology). This again is a different subject.
The weakest link is actually fancy format with accumulation of bolted-on "functionnalities" over the years (yes, pdf, I'm looking at you).
> f you have a link to point to any REAL existing cases ( or thousands of cases) when that had happened, I will agree with you. Remember the 50mln machines infected by ILOVEYOU ?
Real-life example of pwned GNU/Linux boxen? There are plenty. However, you are right, fragmentation of the platform, small luserbase and less idiotic default configs mean that it is harder to bulk-compromise millions of machines with the same snippet of code. Targetted attacks against a particular machine or group of machines are still very feasible, and yes, it could be done via a malicious file sent by email. (note that Windows' security dramatically increased since the days of ILOVEYOU. Still not perfect, but it's now swiss cheese instead of cottage cheese!)
> Note, that I am not asserting that Linux/BSD are so secure, one has to pay zero care to the security.
We do agree then.
> Up-to-date system, strong passwords (no reuses) and so on. However, emailophobia is a paranoia. This is one of many reasons why Windows sucks.
With a bit of knowledge about one's machine, it is perfectly possible to compromise a Debian machine by tricking a user into opening a malicious email attachment. Maybe not as big athreat as for windows users, but still present.