I only know of many 'local' vulnerabilities, but those include remote exploits of Android that turn into local radio exploits.
Keep in mind that given my skills at the time, I was looking for the "easy" wins like boundary-checks and logic errors rather than what I would consider more advanced ones like double-free, use-after-free etc.
Given what I've seen of the QCOM assembly that faces userspace, I would say the likelihood that there are low-hanging fruit vulnerabilities in the protocol-facing side of the radio code is near 100%.
To answer your question, yes, "the complexity of the protocols" is what is stopping the majority of attackers IMO.
Keep in mind that given my skills at the time, I was looking for the "easy" wins like boundary-checks and logic errors rather than what I would consider more advanced ones like double-free, use-after-free etc.
Given what I've seen of the QCOM assembly that faces userspace, I would say the likelihood that there are low-hanging fruit vulnerabilities in the protocol-facing side of the radio code is near 100%.
To answer your question, yes, "the complexity of the protocols" is what is stopping the majority of attackers IMO.