The kind of organisations that use these exploits rarely want to use the same one twice. That would link the two uses, which could reveal who was attacking who or why.
However, anti-rooting protections on iOS devices are such that the vast majority of organisations don't have any kind of logging or analysis infrastructure set up which could trace which devices have a specific exploit run against them.
The exploit is probably delivered by an encrypted channel, so even if you did full traffic logging from all employee devices to the internet, you still wouldn't have enough info to know which devices were infected, since the attacker will surely use a different server each time to deliver the exploit.
That suddenly makes it much safer to reuse exploits, so there isn't such a big market for a new exploit for every covert operation.
The same isn't true of Android - there are plenty of apps which will trace syscalls, dump logs, send suspicious files for analysis, etc. That makes reusing an exploit a risky business for three letter agencies, especially if you're attacking another three letter agency who probably has their own custom anti-malware type software just waiting for you to trip a tripwire.
I'm not sure that's a safe bet. iOS updates have become notorious for things breaking, sometimes in very obvious ways. I have an iPhone and a recent update caused some very obvious degradation of battery lifetime between charges, for example. Given that I have an unmodified phone running almost nothing but the standard Apple software, and the tiny number of apps I do have installed haven't been used since before that update, there isn't much excuse for this.
Meanwhile, I currently have email disabled on my phone pending a fix for a known security vulnerability that is reportedly going to be included in a firmware update delivered several weeks after the vulnerability was out in the wild and doing the rounds on tech sites.
Neither of these is reassuring when it comes to the current state of iOS robustness and security, and five minutes with Google will show that my experience is not unusual among iPhone users in recent times.
The really sad thing is that iOS devices still seem to be relatively robust compared to either Windows 10 or macOS on the desktop. It feels like Apple and Microsoft have both decided they are so dominant now that quality control doesn't need to be a business priority, and as a result we've left behind the "golden age" up to the mid-2010s when your OS mostly Just Worked(TM) and entered a new age where the most basic reliability of our essential IT systems is in question.
Oh it did. Earlier OS X releases were way more stable and didn't break shit for no reason.
Quality assurance has gone downhill over the last years, that's what happens when the people in control are no longer engineers taking pride in high quality bug free code but rather managers whose incentives are to push as many new features out as possible - which IMO was also the reason why 86 support was dropped in Catalina, it was too expensive to keep supporting, but heh who cares about users of stuff like VSTs for sound people or people wanting to use their Mac for gaming...
And does this mean Android is more secure?
This is all, indeed, a pretty shady business. I don't think there's anything authoritative we can say from the outside.
How much is Zerodium charging people for these exploits if Apple isn’t paying?
Sure, they could stick the knife in if Craig Federeghi calls up to ask how much, but you’d assume it’s nothing to Apple to spin up an arms-length subsidiary with a folksy name to buy the info through.
I think we wrap ourselves in a bit of false security when we say something is open source and think that automatically makes it more secure. We assume someone has looked at the source. But has anyone really? And those with the most incentive to look into these things might not be inclined to share the vulnerabilities back to the community for safety's sake, given the princely sums being offered by companies like Zerodium.
Let that sink in...
I can only assume this is for offensive purposes, since they can’t patch the kernel/software even if they know how the exploits work.
And going back further: https://twitter.com/cBekrar/status/1128702955555713024
Pretty sure it's not marketing