[acdha]

That’s a really good way to think about it. Having been security-adjacent for a long time, I definitely remember the reactions of dread which some of the earlier big vulnerabilities in things like OpenSSL got, which were never exploited at the feared scale, and that’s well explained by your theory: the NSA isn’t interested in every phone in a country, and a lot of unsexy vulnerabilities like WordPress exploits are going to be more widely attacked because people know how to make money with ad/affiliate spam, SEO, etc.