Well of course. Apple has only certified iOS to provide resistance against attackers with a basic attack potential. Why should it be any wonder that their security is inadequate against moderately or even highly skilled attackers?
Here we can see their certifications under the Common Criteria:
“The evaluator shall conduct penetration testing, based on the identified potential vulnerabilities, to determine that the TOE is resistant to attacks performed by an attacker possessing Basic attack potential.”
Which is consistent with the text of the Common Criteria standard on page 170:
Which by page 31 of the same document corresponds to EAL1 under the old EAL model.
To reach "resistant to attacks performed by an attacker possessing Moderate attack potential" would require conformance to AVA_VAN.4, 3 entire levels higher than their certification (corresponding to EAL5 under the old EAL model) and 1 level higher than any Apple, Google, Microsoft, or Linux system ever created and which has been deemed economically infeasible for them to ever retrofit onto their existing products as stated on page 38 of the same document.
I’m not sure Common Criteria has much to do with it. Companies only get CC certification so their devices or applications can be used by certain government organizations.
And so no company is going to target a cert level higher than the minimum they need to meet whatever business requirements are driving them to get CC certified.
And CC certainly isn’t a good reference for good security and cryptography engineering practices. It’s not bad, but it misses a lot.
To add, while Obama was told he couldn't have an iPhone[0], Trump apparently had two NSA-secured iPhones in 2018[1], so the basic OS is secure (and likely loaded with MDM, maybe even jailbroken to disable safari JIT or disable safari entirely).
Similarly, rooting an Android phone simultaneously increases its attack surface and helps you tie down components that you otherwise couldn't without recompiling the OS.
Though, in the long run, I wonder if Androids can be more secure than iPhones.
None of what you posted has anything at all to do with the popular perception that iphone is especially secure, which is obviously what's referred to by "despite the hype".
I have no doubt Apple is perfectly capable of securing iOS and MacOS against attacks these relatively simple attacks.
I also have no doubt it has no intention of doing so. It honestly seems very naive to believe that a huge multinational corp would not allow state level access.
At the top level, the vulnerability is in a parser for a compressed image format. The parser isn’t scriptable or programmable, but the code is subverted, exposing some very primitive logic operators that can be applied to image data. Specifically AND, OR, XOR and XNOR.
The attack then uses these fundamental Boolean operators to construct virtual circuits to emulate a primitive custom CPU architecture using only raw bitwise logic, and uses that to run a virtual machine implementing a bespoke Turing complete bytecode interpreter. This then runs the rest of the payload as a program that implements the spyware functionality.
Here we can see their certifications under the Common Criteria:
https://support.apple.com/guide/sccc/security-certifications...
For iOS 14, their most recently certified version, we see under their Security Target under Security Assurance Requirements on page 82:
https://support.apple.com/library/APPLE/APPLECARE_ALLGEOS/CE...
They conform to the AVA_VAN.1 requirement.
The official guidance for what qualifies as conforming to the AVA_VAN.1 requirement for their protection profile is described on page 136:
https://www.niap-ccevs.org/MMO/PP/pp_md_v3.1.pdf
“The evaluator shall conduct penetration testing, based on the identified potential vulnerabilities, to determine that the TOE is resistant to attacks performed by an attacker possessing Basic attack potential.”
Which is consistent with the text of the Common Criteria standard on page 170:
https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3...
Which by page 31 of the same document corresponds to EAL1 under the old EAL model.
To reach "resistant to attacks performed by an attacker possessing Moderate attack potential" would require conformance to AVA_VAN.4, 3 entire levels higher than their certification (corresponding to EAL5 under the old EAL model) and 1 level higher than any Apple, Google, Microsoft, or Linux system ever created and which has been deemed economically infeasible for them to ever retrofit onto their existing products as stated on page 38 of the same document.