It's not a security professional saying this though. It's a politician.
You can never be 100%, you're right. You can be aware of common attack vectors and address them though. You can be aware of what resources are most vital to protect or are common targets in your industry and focus your efforts.
Most people actually in security will tell you the same.
It would depend on the exploit. For a simple example, an exploit that was a result of a flaw in the file specification could result in it being cross platform.
It's going to be rarer to find something of that scope, maybe even to the point of you being effectively right.
Also dodgy files can contain multiple exploits, potentially for different platforms. Problem here from the malicious actor's point of view is that each vector for attack is also a vector for detection, so rather than a cesspool of exploits it makes more sense to use single new and mostly unknown exploit that targets software used by the greatest number of victims.
The two of you have different priorities. You are both right and both wrong.
It's not really the kind of thing that requires a citation. However it's trivial to Google and see there are a whole range of opinions on the matter.