As I understand this, virtually every machine gets exposed to the garden-variety malware; whether it's vulnerable to the given exploit is a different matter (look at the obsolete Java and Flash plugins eeeverywhere). Moreover, it is also important whether the exploit has an appropriate payload for the given system (I have yet to see e.g. a browser-vector transmitted payload which would run on Linux - which says something about its marketshare, not necessarily about its security).
And of course "absence of evidence is not evidence of absence," so either the scans suck hard, or you're clean; but barring a more specific (and probably not fully-automated) inspection, there's no way to tell.
And of course "absence of evidence is not evidence of absence," so either the scans suck hard, or you're clean; but barring a more specific (and probably not fully-automated) inspection, there's no way to tell.