At the time, FB said it didn't believe the bug had been exploited: In this instance there is no reason to believe users were impacted. [0] The alleged hack of Bezos happened in May 2018, about 18 months after the Nov 2019 bug fix. I wonder if FB's statement was just boilerplate PR or if they really did substantial forensics to have "no reason to believe users were impacted".
Anecdotal, but a lot of times phrases similar to that are used because the real answer is "We don't have any way of knowing if users were actually impacted" and it's obviously far better for PR to phrase it that way.
It does sound better but here's the thing: this is Jeff Bezos. He's one of the most high-profile people on the planet. If his phone was hacked through WhatsApp, he clearly filed a complaint and told them what had happened. They just didn't manage to patch it for over a year and then stated they 'had no way of knowing' even though this clearly proves it happened.
Why do you think it was CVE-2019-11931? The Facebook vs. NSO lawsuit[1] mentions CVE-2019-3568[2]. CVE-2019-3568 was widely reported in May to have been exploited by NSO group[3].
[0] https://nakedsecurity.sophos.com/2019/11/20/update-whatsapp-...