Of course it is.
I have no doubt that there are vulnerabilities in Steam. Why would you think game developers are magically capable of writing secure C/C++ code, when no mainstream OS developers have been able to do so, despite that they are largely security focused?
I used to make cheats for Crysis, and accidentally stumbled across a format string vulnerability. This was a highly acclaimed game, and yet I found a vulnerability in it without even trying. Around the same time, Luigi Auriemma was finding vulnerabilities in top titles like Call of Duty 4, Halo, Quake 3, and various game tools like Ventrilio. He found tons of vulnerabilities in all these products like it was nothing. There must be tons more.
So it's safe to say that there are tons of vulnerabilities in games and related products such as Steam, and people most likely do have 0days for them, not to mention Steam devs or anyone selling a product over steam could choose to distribute malware to you.
It's still rare that you see 0days published for Steam and video games in general, so unless you are a worthwhile target, you probably aren't going to get exploited this way.