I think it's mostly that people are continuing to use file format parsers that were written in unsafe languages in 1998.
I do sometimes wonder what a "Manhattan Project" of software security would look like. I do think rewriting all common file parsers in <X> would be a very achievable project with a budget of a few dozen million dollars - nothing compared to the potential savings. The issue is then getting people to actually switch over. I think that a PR push by NIST et.al. could help convince the slowpokes that the "industry standard" has changed and they need to do something to avoid liability.
How do you estimate the financial damages here though? It's not like anybody's really going to stop buying iPhones over this. Not to any real degree. There's some brand damage to Apple but that calculation's highly debatable and swings around wildly. Which is the problem. Digital security is impossible to put a price on, because until someone is actively exploiting it, it costs WAY less to do nothing about the situation.
Yes, in fact, if NSA, China's MSS, Mossad and other nation states are betting on these kind of exploits to exist in order to do their really dirty work (even if they contract it out to NSO Group), the "benefits" would be detrimental to them.
With kinds of resources Apple has, you could be writing a PDF parser from scratch in Rust or Swift (it is 100% memory-safe, right?) or whatever else kind of "in the background", maybe as an experimental project, and then replace the existing one with it when it's mature enough.
Microsoft at least started rewriting some components of Windows in Rust. Though they aren't saying which ones.
It is starting. I've seen big companies start shifting towards this future over the last couple of years. In discussions with other security professionals across various companies, it is appearing more like an inevitability that a shift to memory safety is coming, in one way or another. It is moving slower than I'd want, but the discussion feels very different than it did just three or four years ago.
Sure, tech companies and even just random people are already working on it piecemeal. I just think of someone with resources put a concerted effort into it we could replace all the parsers of un-trusted data in e.g. Chrome within 2 years. If a government did it then it can be justified by benefiting all of society, rather than one individual product team having to justify the effort for their own use.
I do sometimes wonder what a "Manhattan Project" of software security would look like. I do think rewriting all common file parsers in <X> would be a very achievable project with a budget of a few dozen million dollars - nothing compared to the potential savings. The issue is then getting people to actually switch over. I think that a PR push by NIST et.al. could help convince the slowpokes that the "industry standard" has changed and they need to do something to avoid liability.