It sounds like silent updates from Apple without automatic updates turned on is also an undisclosed RCE - or an Apple backdoor, depending on how fine a point you wish to put on it.
Being my OS or hardware vendor does not entitle you to permanent RCE on the machine that now belongs to me.
Unless of course this is just a XProtect rules update or a Gatekeeper CRL update, then ignore what I said.
Makes the story MUCH worse in my opinion. An unpatched RCE that they left open until someone else got 90% of the way there and went public with it.