According to Zerodium, iOS exploits are cheaper than Android exploits because iOS exploits are so plentiful[1][2] in comparison.
It should also be noted that the #1 vector for malware installation on Android is the Play Store itself[3].
The issue isn't Apple or Google's mobile app distribution implementations themselves. The issue is that the app store model was only adopted because of its profitability, and security was an afterthought. Despite this, the companies' PR departments try to paint the app store model as necessary for "security" and then fall short of actually securing things because that might cost money or decrease revenue. There's no competition, so who is going to stop them or force them to improve?
They said that two OS versions ago, pre-Blast Door and the other improvements Apple made (not that those helped against Pegasus, of course). Have they started buying iOS exploits again?
Samsung has the greatest marketshare in the the Android ecosystem[0][1] and they've pledged to provide security updates for 4 years for >130 models[2] – which is pretty good!
Their 4 year support from phones initial release is still quite bad and the last year is apparently only quarterly not monthly updates. So buy a phone X months after release and you get 36 - X months of monthly security patches and then minimal support for 1 year.
That’s a big deal because their manufacturing last years model S20 and many people are buying not realizing it’s apparently got 1.5 years of full support remaining.
Apple does basically the same thing. You buy an older iPhone like the XR and you get years of support off. Hell they cutoff support for the 6th gen iPod Touch less than 6 months after they stopped selling it. They also make zero support promises for their products or monthly updates. While you might get 7 years like an iPhone 6S, it could also be 3 or even 2 like the original iPad. It's completely at their whims. For a while Mac support seemed relatively stable but Big Sur dropped a ton of models.
Samsung's support pledge isn't perfect but it is an improvement that will hopefully lead to other Android OEMs stepping up their game.
The 6s still gets support, and even though it gets iOS 15 iOS 14 will continue to get security updates for people who stay on it. Hard to believe that the XR is going to get dropped within the next 5 years.
It should also be noted that the #1 vector for malware installation on Android is the Play Store itself[3].
The issue isn't Apple or Google's mobile app distribution implementations themselves. The issue is that the app store model was only adopted because of its profitability, and security was an afterthought. Despite this, the companies' PR departments try to paint the app store model as necessary for "security" and then fall short of actually securing things because that might cost money or decrease revenue. There's no competition, so who is going to stop them or force them to improve?
[1] https://www.theregister.com/2020/05/14/zerodium_ios_flaws/
[2] http://zerodium.com/program.html
[3] https://www.zdnet.com/article/play-store-identified-as-main-...