Not sure if it's worse on iPhone (because successfully targeting one specific model means a huge user base to hit), but I've been consistently surprised with how old Android devices survive usage long after updates have expired without large-scale compromise.
It shouldn't work. Based on historical precedent from PC's, all of these phones should be full with the most blatant, obvious, ad-injecting/ransomwaring/account-stealing malware that simply cannot be ignored. And yet, in practice, most users are using ancient Android devices just fine.
Obviously you can't do that if you expect to be specifically targeted (either by governments or criminals), but the baffling fact is that an average user can apparently get away with it in practice.
Cybersecurity is akin to home security. Most people will get a alarm at most, and otherwise have a house which is totally unprepared to defend them against a special forces hit squad. Few people here have seriously considered how they will stop a gang of a dozen bloodthirsty criminals from kidnapping them and forcing them to reveal their credentials even if they're thought about post-quantum cryptography. Yet this all works out because they can easily hide in the crowd, there are plenty of other societal institutions which generally deter home invaders.
The problem with cybersecurity is with companies that horde a great number of people's personal information or who have a great amount of privileged access and then decide to care about security.
There was an article here just the other day talking about how a mass of older android devices spanning many different sectors (phones, TVs, chromebooks, etc) had been found to have malware that was installed between the refurb/shipping and delivery to retailers. These older devices also wound up in schools. So it absolutely is happening.
It shouldn't work. Based on historical precedent from PC's, all of these phones should be full with the most blatant, obvious, ad-injecting/ransomwaring/account-stealing malware that simply cannot be ignored. And yet, in practice, most users are using ancient Android devices just fine.
Obviously you can't do that if you expect to be specifically targeted (either by governments or criminals), but the baffling fact is that an average user can apparently get away with it in practice.