There are widely available tools for exploiting iPhones. These are available to low level law enforcement, border guards, etc. They're often abused. The same goes for remote exploits. Apple and Google have succeeded in making the exploits expensive, but not much success in stopping them for more than short periods of time. Perhaps they'll start having more success, but so far they haven't. Making the cost of developing the exploits more expensive does not change that the usage is widespread in many dozens of countries. The remote exploits are not only used in targeted attacks against a tiny subset of people. They're often broadly deployed on publicly accessible websites.

I don't think this constitutes as widespread at least in impact, but there's been times where malicious apps have made it on the App store and used to steal cryptocurrency.