> The low hanging fruit has definitely been thoroughly picked these days
The problem is that vendors aren't in the business of perfecting existing software. They're in the business of pushing out big, bold, feature-rich changes and additions.
The vulnerabilities found in the article support your argument: SMS and MMS, which barely ever change or get new features, were much more secure than iMessage, which constantly gets new features and architectural changes.
There was a Microsoft Research paper several years ago which looked at the relationship of exploits to age of code in BSD kernels. The number of exploits in older code diminished over time, but that was often offset by the higher prevalence of exploits in newer code. That much is intuitive, but it's good that there's some well researched empirical evidence showing that that's the case.
We can hypothesize that better languages and better mitigations (e.g. ASLR) can improve the situation across the board, and I don't doubt that that's the case, but I haven't yet seen the evidence. (Maybe I missed it?) It's probably too early as it's difficult to make apples-to-apples comparisons across those aspects.
Are you totally and completely unaware that Apple actually does dedicate some annual cycles to bug fixes, performance improvements, and stability? And that they've done this many times in the last 20 years?
So what does the software look like up until those 'annual cycles'?
It's pretty clear from the economic incentives of the companies producing the software, the sheer quantity of exploits found, and the surprisingly low amount of QA that would be needed to catch most bugs that the aforementioned view is correct.
The problem is that vendors aren't in the business of perfecting existing software. They're in the business of pushing out big, bold, feature-rich changes and additions.
There's always new low hanging fruit.