Awesome news
I’d take those lists with a big grain of salt. First off, it would be good practice to have links to those cited lists. These sites aren’t any of the more known and trusted sites for this kind of assessment. The lists themselves are just opinion lists, not studies nor did the reviews do any testing or have the devices at hand. At best, they are about “potentially could be secure” based on marketing material. Even then these lists are not really taking into considerations different scenarios and threat models - “secure to at what level and how” and “is it private too, and to what level and in what areas” (security and privacy can clash), although points for at least not fully forgetting that. Some security features that users can implement aren’t mentioned which is a bit odd and speaks to the level of journalism that the lists are. More to the point, some of the basic issues aren’t mentioned either - like the lack of updates PureOS has had, weak support to react to or proactively find issues, usability issues that affect security and privacy, that PureOS doesn’t even have rudimentary CVE or issue tracker or code audits etc. All reasonable things for a small organization that doesn’t have the resources - which is part of the overall security of the phone, from one perspective (the processes behind it). Potential may be there but there is still a lot to do be really secure - and there are variations of that, based on the usecases/risks. Besides, if I’m not mistaken, these are just what has been commercially available, so it’s all relative anyway.
So, it’s just marketing hype.
What else did you expect? I did not even read it, because I knew it’s just marketing. However, it is the most secure phone, once HKS are all off. Nobody without physical access to the device can hack or track you. But well, you barely can use it as phone this way. 
For all the flaws of such lists, it is better to be on the list than not on the list. It is creating brand awareness.
These lists are such cheap journalism that they even have their own descriptive term, listicle.
Yes, like I said, those don’t have any real tes(ts) in them… 
It wasn’t unclear to me what that was. It annoys me that they continue with those - could do better (even take a more analytical view on this one for more credibility, as I think these fluffy marketing texts will turn against Purism).
In terms of security, I think that the HKS are overrated.
If you’re really determined to hack my device, it’s really trivial to just wait until the next moment I go online. The same goes for exfiltrating data.
The HKS might help a bit if you see it as defense in depth, but living in a false sense of security can be dangerous, too.
Just don’t turn on the HKS again. Problem solved. 
No the HKS are not overrated. They do what they do, nothing more or less. Nobody said they protect you at the moment your device can record or transmit data. But what I wrote above was just a joke (I thought with last sentence it would be clear enough).
Apologies if my words were ambiguous. I did get the jest in your comment. However, it reminded me of a thing that one IT security person at my former workplace told me. They claimed in earnest that the data on their personal smartphone was particularly secure because they had made it a habit to painstakingly (soft) turn off Wi-fi and mobile data whenever they weren’t using it.
This means that there are people out there, albeit not in this particular thread, who tend to feel more secure due to some kind of soft- or hardware kill switch, which is not only a fallacy but can also be actively counterproductive to IT security. That’s why I think a periodic PSA is in order.
Here are the links to the articles mentioned:
Efani: Top 10 Most Secure Phones to Buy in 2025 (Updated Edition)
Analytics Insight: Top 10 Most Secure Smartphones of 2025 to Keep Your Data Safe
Navi: What Are the Most Secure Phones in 2025? 5 Options
Cashify: Top 23 Most Secure Phone In The World That Can't Be Hacked! | Cashify Blog
To my mind, the main benefit of switching off a radio is privacy i.e. the avoidance of tracking.
However, if you are a target then there is a security aspect of that.
For exfiltration, I agree with you. It’s security theatre because the malware will just wait until you are online.
But for an attack that gets the malware on there in the first place, it may actually need the radio to be on in order to implant the malware.
Let’s say there is a buffer overflow exploit in the kernel relating to the Bluetooth stack. Let’s say you can’t be attacked via Bluetooth when at home (security perimeter too good / the attack needs to be done in secret in order for the attack to be effective). Let’s say you always switch off the Bluetooth radio when out of your home, the only time that that particular exploit can be attempted.
So, conversely, having the Bluetooth radio on when out of your home not only potentially allows you to be tracked as a target but potentially allows you to be confirmed as the target and, regardless, allows the exploit to be carried out.
If I replaced Bluetooth with WiFi in this theoretical example, it wouldn’t make much difference.
This is just an example of course and it may not match the actual threat model faced by most forum users. I hope it doesn’t!
Considering it from a more general perspective, it’s about the attack surface. You might not know whether such exploits of the Bluetooth / WiFi stacks exist but if you don’t need Bluetooth / WiFi at a particular moment in time, why not reduce the area of your attack surface by switching them off? That is just good security.
EDIT: my comment followed from misremembering the conversation leading up to this post:
It sounds like there was at least one instance of the hardware switch breaking and failing to disable Wi-Fi.