This is a false comparison. Being hacked by NSO isn’t an accident. There’s an agent involved here with clear intent to harm and significant monetary motives.
If in a car accident we knew one party intentionally caused the crash (and were paid for it handsomely), we’d hold them responsible, regardless what claims car companies make regarding safety.
If your air bag fails to deploy after a crash, the manufacture is responsible for the product defect. It doesn’t matter if the crash was an accident or someone intentionally and specifically crashing into you, the manufacturer is responsible for a defective air bag.
The manufacturer is not responsible for the crash, only the defective product. The other driver is not less responsible for a death or injury resulting from the crash.
Responsibility for the crash and its consequence's rest on the driver at fault.
Responsibility for a defective air bag rests on the manufacturer.
They are two separate issues and not zero-sum.
If someone clips your airbag wires before the crash, that is not a product defect and the manufacturer is not liable, but that is not what happened here. There was no prior access or modification to the device or software. Apple claims to have a secure phone yet has a critical zero click vulnerability similar to an earlier vulnerability they previously fixed.
Pointing a finger at NSO could one day lead to some government’s action aimed at influencing another government’s actions toward a private organization. NSO doesn’t care if they’re unpopular online.
Highlighting Apple’s responsibility in this is how we incentivize better security in consumer products.
I don’t think companies should be responsible for every exploit all the time. Nobody is pointing fingers at ViaSat for being hacked by the Russians. There have been repeated iMeassage exploits that could be prevented with easy to implement defaults or simple opt-in settings (do not implicitly trust unknown numbers) which have been asked for after each exploit and ignored.
I think the main distinction is that Apple claims to have a secure phone, but not an unhackable phone. A secure vault is hard to get into, but not impossible.
Should they have done something about this? I believe so, but they are not marketing themselves as secure against state actors. They have release lockdown mode, which may or may not have prevented this particular exploit.
It's important to keep the demographic of iPhone users in mind. The average user do not want to be inconvenienced for security measures irrelevant to them. And if a competitor (Android) is providing a better experience, then Apple, from a business point of view, have no choice but to make the most secure system they can, while still providing the same UX.
All that said, I do believe that they should implement zero trust on first contact, as a default, with the option to enable explicit trust for every attachment. I just do not believe that this will be any major impact on these actors capabilities.
It doesn't make sense to talk about IT safety if you exclude intentional hacking. To take your example, we do hold car companies responsible for harm from collisions with other vehicles, regardless of which driver was at fault.
If in a car accident we knew one party intentionally caused the crash (and were paid for it handsomely), we’d hold them responsible, regardless what claims car companies make regarding safety.