No, it just means that they've found vulnerabilities that can be triggered without user interaction. This is entirely doable by just fuzzing or reverse engineering the released iOS binaries.
Of course – but you can definitely fuzz your way to the initial vulnerability. The VM stuff is done once you have that vulnerability and are writing the actual exploit, which is a manual process.
Entirely do-able by a team of experts with multimillion dollar budgets over the course of probably many months, doesn't sound at all similar to average hn commenter being able to do it before lunch.
Source code doesn't help that much, and sometimes the assembly makes some bugs more obvious. They really don't need the source. They just decompile it.
People without reverse engineering experience often think there's a massive difference between white-box and black-box auditing, but there really isn't. Yes, it takes longer, but not ridiculously so.
NSO aren't interested in being an overtly criminal operation; breaking into Apple and stealing source would be a giant liability they don't need to have. Their game is feigning ignorance as to what their customers do with their software. They can't afford to be caught commiting crimes directly.
I mean, it would just be a prudent business move once the first PoC comes out right? You know that Apple is going to patch it eventually. It totally makes sense to try to pop a dev box and exfiltrate the source code. The only question is if they can make it past Apple's network security - it's unlikely that devs are allowed to take their work MacBooks with iOS source code home.