Dismissing a member’s opinion as ‘nuts’ is not the kind of language I have come across in my years as a member.
I agree that was harsh.
And you're right that Steam is a target -- moreso than other game download sites because of the trading of virtual goods they've implemented (and money involved) as well as because of their size. Valve/Steam has said so themselves.
Computer and website security is an ongoing process. It is never solved for good, no matter what may be claimed by advertisers. The bad guys are very clever at finding new vulnerabilities, both in website software and in the Internet system itself. The Internet was not developed with security in mind -- security wasn't a concern in the early days of the Internet -- and thoroughly patching it without breaking it is a huge job that may not be possible.
Steam has a grade of F at BBB, mostly due to poor customer service and reneging on promised refunds, and that's from January this year, not two years ago. You can read the "pattern of complaint" at BBB ***here***
It's not likely the game downloads are infected though -- at least not beyond the usual monitoring that comes with using the Steam client.
Infected downloads usually come from websites that offer "free" games. For example this...https://www.bleepingcomputer.com/forums/t/303896/infected-with-game-house-games-pop-up-window/
Therefore, it's taken steps to improve security and close loopholes. The developer also says it's improved how and when it informs users that their account is at risk and has introduced a self-locking system and two-factor authentication through Steam Guard.
Steam Guard is "two step" authentication, which is not the same as "two-factor"
means one each (not two the same) of any two of the following
something you know (passwords)
something you are (fingerprints, retina scans)
something you have (security tokens) https://en.wikipedia.org/wiki/Security_token
Steam Guard is "two step" authentication -- two "something you knows" -- not "two factor"
Security experts have stated that "two factor" authentication is very safe, so advertisers have subverted the definition and conflated it with "two step" by calling it "two factor authentication using SMS." Steam isn't the only online website guilty of this by any means. Just be aware that Steam Guard and similar systems that use SMS or email aren't true "two factor" authentication. SMS has multiple vulnerabilities, and the difference in security between true "two factor" authentication and using SMS is huge. An SMS message on whatever smart phone you receive the message on is no substitute for a real security token.