That covers most of the software, but basically every modern phone has some proprietary drivers that are necessary for it to function and that have security vulnerabilities of their own.
And nobody's going to exploit those device-specific vulnerabilities (that probably require local code execution anyway) unless you're a high-value target.