I think people don't fully realize the magnitude of such a task. We're not talking about something like consoles where the attack has to meet a higher bar to be viable (be persistent across reboots and upgrades, work over the internet against the provider's infrastructure, etc.). And as usual, the attacker only needs to get it right once and they can afford to wait for months or years to find the exploit on the particular device they have seized.