Ultimately, wallet security equates to who has access to your private keys. Owners of private keys truly own the assets in a wallet. Private-key ownership also includes the burden of ensuring the keys remain secure. Because of this, many people chose to use custodial wallets, outsourcing security to a qualified and trusted partner, such as BitGo.
Custodial private-key ownership shares fundamental similarities with the roles that banks play in securing and managing money. People and organizations with a great deal of money likely store their funds in a bank they trust. The bank keeps the funds secure by functioning as an intermediary for transactions.
The most secure key-storage option is an air-gapped Hardware Security Module (HSM). An HSM is a computing device that's impossible to remotely compromise, because it's never been connected to the internet. In order to access a private key from an HSM, you have to physically interact with the device. Depending on the HSM, you might also have to meet additional security measures, such as passwords or biometric locks. Additionally, HSMs are likely kept in secure locations.
For custodial wallets, you outsource security to a 3rd party, such as exchanges, ETFs, or dedicated custodians, like BitGo. You don't have to worry about managing your private keys. However, you don't truly own the funds in that wallet - the custodian does. Therefore it's immensely important that you trust your custodian and have some insurances in place. BitGo stores all keys for custodial wallets in air-gapped HSMs in secure locations.
For self-managed wallets, you're responsible for securely storing your keys. You can do this however you chose. Fundamentally, key storage can be as rudimentary as writing the key down on a piece of paper. However, BitGo strongly recommends against storing your keys in such a precarious state. An air-gapped HSM is the safest and most private key-storage solution. However, if maintaining your own HSM isn't an option but you still want to use a self-managed BitGo wallet, you can use 3rd-party key-management services.