The simple solution is memory isolation - let the modem be as insecure as you like, but anyone who breaks into the modem can only see your network traffic (hopefully all encrypted anyway) and nothing else.
Sadly todays qualcomm hardware has no real memory isolation at all - any bit of on-chip hardware can see all memory.
It isn't perfect, but it's far easier to do that than properly secure a multi-million lines of code codebase with a substantial amount of unpatchable hardware...
There is an IOMMU on snapdragons, as the article says, but it is the IOMMU mapping itself which they attack.
This itself is kind of mind boggling how they let the device overwrite its own IOMMU configuration, effectively nullifying IOMMU's purpose, and its provided safeties.
It's like fencing your house with 10 meter high walls, but leaving the key lying in front of the gate.
As someone else said, it's not a security barrier between the ARM core and the radio hardware bits... It's more a tool for remapping stuff to make system design easier, and as a way of protecting against evil hardware outside the SoC.
I believe it can prevent the ARM core tampering with private radio hardware memory, but not the other way round.
Sadly todays qualcomm hardware has no real memory isolation at all - any bit of on-chip hardware can see all memory.
It isn't perfect, but it's far easier to do that than properly secure a multi-million lines of code codebase with a substantial amount of unpatchable hardware...