I think it's interesting how iOS exploits are cheaper[1] than Android exploits, because iOS exploits are so plentiful in comparison to Android exploits.
The US isn't representative of the rest of the world in this regard. That's why any discussion of iMessage is filled with half the people arguing that iMessage it the best thing since sliced bread (Americans) and the other half saying they never use it.
Does it matter? A full-chain zero-click remote complete compromise for either system is only $2-3 million. That is absolute chump change. 4-6% of households in the US [1], 5-8 million households, have sufficient assets to fully compromise every iPhone or Android in the world. If we consider businesses, I bet that is within the reach of no less than 50% of the businesses (including small businesses) in the US. That is an absurd number of entities where that price point is totally doable.
If a bad actor can derive just $10 on average per phone they attack, then all they need to do is find a way to deploy their $2-3 million exploit to 1 million phones for less than $5 million to make a tidy profit. Given that we are talking about zero-click remote compromises, which means the victim only needs to receive the payload, this means that it is profitable as long as the cost per victim impression is less than $5, a CPM of $5000. With that sort of budget you can embed your attack into an ad and then outbid everybody else by a factor of 10 for placements. You can buy a mailing list and embed your attack as a "payload pixel". If it is a zero-click text message attack then you can buy access to the spam-callers and mass deploy it that way.
These systems are between a factor of 10-100x off of adequate. To care about their relative differences is like debating whether paper mache or tissue paper is better at stopping bullets. One is probably better than the other, but neither provides meaningful protection, so it hardly matters. You need fundamental, qualitative improvements before differences between the solutions provide meaningful effects on outcomes.
Not really. That is only looking at the demand-side of a supply-demand relationship. Buyers will obviously prefer a cheaper vulnerability with a comparable effect to a more expensive one, so if vulnerabilities are easy to find at a price point where it is profitable to sell them at $2-3MM, then any finder who charges a lower price than others will be more attractive to buyers. This selling competition can easily drive the price down until it is much lower than the potential upside to a buyer of $10MM with a lower bound of the actual cost of discovery (which I already postulated is low enough that $2-3MM is profitable given that Zerodium is able to acquire vulnerabilities for that price) since anything less than the actual cost of discovery is unprofitable. This is the same reason why water is cheap even though it is absolutely essential to human life, it is plentiful and easy to acquire so suppliers compete on price driving it down to a a value much closer to the cost of acquisition rather than the maximal upside to the buyer assuming no other alternatives are present.
Zerodium is not generally paying out $2MM for vulnerabilities and the people who acquire vulnerabilities from Zerodium aren't monetizing them directly off the installed base of phones.
An important thing to know about the market for these things is that the "clearing price" of an exploit chain is usually a cap, not an actual price; you're paid in tranches, until the vulnerability is burned. You're hoping it isn't burned before all your tranches are paid.
That has implications for the hypothetical business model you've proposed.
I think you've misunderstood. iOS exploits are cheaper. If your explanation held, then you'd expect them to be costlier. That said, I'm sure your explanation is a component of their price.
Functionally, iOS is a much more secure platform. Far more people are updated to the latest iOS version, which makes a huge difference. Apple invests tons of money into secure biometrics, privacy initiatives, and lots more.
At the same time, Android might still have fewer vulnerabilities in the latest versions. It's possible that Android's security technology or coding practices result in fewer security bugs. I don't think that Android has any attack surface equivalent to iMessage (which is written in Objective-C and uses some fairly low-level techniques, if I remember correctly).
A lot fewer people use the latest version of Android, though, so most of that effort goes to waste.
[1] https://arstechnica.com/information-technology/2019/09/for-t...