Can a company the size of Apple not afford 24x7 security resources? For their installed user-base, I don't think this is unreasonable. Security doesn't have a holiday.
I would claim that there is a very high likelihood that the person having to work all night to fix this on new years Eve is not the same person who prioritizes tech debt pay off vs. new features.
