When considering all possible attack vectors, you come to the conclusion that a hardware wallet has a larger attack surface than an air-gapped wallet.
You can pretty much break everything down to be relatively equal.
But one important attack vector is the online machine it is used with. While in theory there shouldn't be any way to compromise the device from an online pc, this shouldn't be completely ignored.
Especially phishing attacks can work pretty well. And a vulnerability in the microcontroller and/or secure element can make the hardware wallet insecure when used with a compromised PC (which it is made for).
This attack vector only applies to hardware wallets, but not to air-gapped wallets.
I wouldn't consider a hardware wallet as secure as an air-gapped wallet solution.