Every device, every software will have vulnerabilities. The key here is, that they (Trezor) have a healthy attitude towards them. They fix them as they learn about them and they do have a bug bounty program, which, afaik works pretty well.
I don't know the situation with Ledger, hopefully they do have something similar in place.