Indeed, it’s good to be cautious. IMO, Qubes OS is a natural fit for general cryptocurrency use cases, as cryptocurrency concerns natively-digital objects of value, and Qubes OS is designed to protect digital activities and data. In principle, there isn’t really anything different between protecting cryptocurrency activity/data and protecting any other kind of digital activity/data. As with everything, Qubes OS can only protect you if you learn how to use it properly (I recommend reading the documentation to help with that), though it does try very hard to help you avoid shooting yourself in the foot.
See here for a brief high-level sketch of a hypothetical cryptocurrency setup. Reading through the other examples might also help give you an idea of what Qubes can do for you.
That risk is always present (i.e., non-zero) with any kind of technology. All security-oriented technology can do is reduce the risk, never eliminate it entirely. For example, even a cold storage hardware wallet that has never touched an online computer is not 100% risk-free, since it’s possible that, e.g., a subtle supply-chain attack introduced an almost imperceptible bias in the random-number generator that makes brute-force attacks feasible for the attacker.
Or, as another example, there could be a quantum-computing breakthrough related to Shor’s algorithm that allows the public-key cryptography on which cryptocurrencies are built to be broken sooner than expected; or new quantum-resistant algorithms might emerge more slowly than expected, delaying migration; or you personally might not be able to migrate to new wallets using quantum-resistant cryptography in time (in a coma from an accident?); and so on.
These are just a couple of random examples out of (probably) an infinite number of possible scenarios. The point is that nothing in the real world can ever be guaranteed to be 100% secure. Even if a technical design were provably secure in theory, it still has to be implemented in the real world out of physical matter at some point (or else you can’t actually use it to do things in the physical world), which is an inherently messy process vulnerable to interference and attack at most steps along the way.
But just because there’s no such thing as absolutely perfect security in the real world doesn’t mean that there isn’t such a thing as more security or less security. Security isn’t binary. It’s also relative. What counts as secure for others will not necessarily be the same thing that counts as secure for you, because it depends on your threat model. (At the most basic level: What are you trying to protect and from whom?)
What do you mean by “distribution channels”?
If you mean the process by which you download and install Qubes OS, and if you’re concerned that attackers might try to get you to install a compromised version of Qubes OS, then you should read about verifying signatures, which directly addresses this.
Regarding the risk of ransomware in general, I think Qubes OS is quite well-suited to handling it, since the ransomware (like any malware) should only be able to infect the qubes to which it has access, which (if you organized your qubes wisely) should only be untrusted qubes without any valuable data. Of course, keeping good backups is also key to protecting against and recovering from ransomware, and Qubes makes it easy to do that securely too.