Look at the exploits Google's Project Zero find for a less clandestine example. No doubt they employ clever people but you don't have to be superhuman to find vulnerabilities in code. Part of it is paying people to sit down and work on it fulltime.
"This has been the longest solo exploitation project I've ever worked on, taking around half a year. But it's important to emphasize up front that the teams and companies supplying the global trade in cyberweapons like this one aren't typically just individuals working alone. They're well-resourced and focused teams of collaborating experts, each with their own specialization. They aren't starting with absolutely no clue how bluetooth or wifi work. They also potentially have access to information and hardware I simply don't have, like development devices, special cables, leaked source code, symbols files and so on."
Yep, Apple themselves will find exploits, white hat hackers will find exploits, Project Zero or Microsoft teams will find exploits, and so will NSO or other blackhats. It is a mix of luck, skill and putting in the time. NSO has successfully monetized their exploits, allowing them into then invest the money back into hiring more people, which increases the luck/time put into it.
An interesting quote:
https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-c...
"This has been the longest solo exploitation project I've ever worked on, taking around half a year. But it's important to emphasize up front that the teams and companies supplying the global trade in cyberweapons like this one aren't typically just individuals working alone. They're well-resourced and focused teams of collaborating experts, each with their own specialization. They aren't starting with absolutely no clue how bluetooth or wifi work. They also potentially have access to information and hardware I simply don't have, like development devices, special cables, leaked source code, symbols files and so on."