I don’t work in the field but do you know for a fact companies like NSO don’t use memory exploits for their attacks ? Majority of the “published” attacks is probably a better assertion.
NSO absolutely uses memory exploits. I think the person you’re responding to is saying that weaponized exploits of the form that NSO builds are a minority of overall attacks (which is both true, and also not a sufficient reason to discount the severity of memory corruption).