One of the greatest strengths of Linux over other OS is the centralized software and update management tools that come built in. This means that whenever there is an update to any of the packages or softwares you have installed, you are sure to not miss it. This alone goes a long way to improve the security of a Linux system.
However, I noted a common misconception (I believe it’s not just one person who has this notion) that every software in the Ubuntu repository is checked for malicious code by Canonical before it is uploaded. This I believe is not what happens since the USC currently lists over 30000 applications. Checking every single one of them for malicious code could easily take a lifetime.
What I believe happens is that given the centralized nature of package management, when a flaw is detected in any piece of software, it is easy to distribute a fix to all those running that application, sometimes within hours. Packages in the USC simply mean they will receive regular updates as and when they become available.
Regardless, it still behooves you the end user to be circumspect of software you install on your system and to apply updates as soon as possible. There is no sure fire way against malicious code, but the centralized nature of package management makes containing such malice easy and hassle free.