Too simplistic of an answer, though it could be part of it.
I think we wrap ourselves in a bit of false security when we say something is open source and think that automatically makes it more secure. We assume someone has looked at the source. But has anyone really? And those with the most incentive to look into these things might not be inclined to share the vulnerabilities back to the community for safety's sake, given the princely sums being offered by companies like Zerodium.
Apple is the device to exploit right now which drove supply. Meanwhile Google, Project Zero and companies like Copperhead are actively securing Android.
I think we wrap ourselves in a bit of false security when we say something is open source and think that automatically makes it more secure. We assume someone has looked at the source. But has anyone really? And those with the most incentive to look into these things might not be inclined to share the vulnerabilities back to the community for safety's sake, given the princely sums being offered by companies like Zerodium.