But when millions of iPhones remain on older software, that model breaks down. That’s the practical consequence of Apple confirming that mercenary spyware developers have found a way in-again-and that the most reliable protection sits behind an operating-system upgrade many users have not installed.
Apple has patched two exploited vulnerabilities ahead of the holidays, but the harder problem is not the patch itself; it’s the long tail of devices and owners that do not move quickly, even within an ecosystem where every compatible iPhone can install the same release on day one. That gap between “fix is available” and “fix is deployed” becomes a usable window for attackers because it is predictable.
Third-party estimates of exactly what that percentage is vary, but they agree on the uncomfortable part: a huge share of active iPhones remain on iOS 18 months into iOS 26’s lifecycle. Even optimistic dashboards still leave an enormous population unpatched, and more pessimistic measurements put iOS 26 usage at well under a quarter of devices. In past cycles, the latest iOS typically moved faster making this slowdown feel less like routine resistance and more like a systemic drag on Apple’s ability to close holes at scale. Security pros have been candid about what that drag means: “There’s no workaround or user behavior that meaningfully mitigates this risk,” says Keeper Security CEO Darren Guccione.
Upgrading is the only effective defense. Once patches are public, the exposure window widens for anyone who delays updating. Interface backlash appears part of the story. “Liquid Glass” has taken heat for readability and discoverability, with frustration spilling over into the kind of online threads that morph a design debate into a referendum on trust. But from the perspective of security engineering, aesthetics matter only insofar as they change behaviour and behaviour is now the bottleneck.
Apple’s response is partly architectural. The company introduced Background Security Improvements in iOS 26.1, a mechanism to deliver smaller patches between full releases. As Apple puts it in Settings: “Background Security Improvements provide additional protection to your iPhone in between software updates,” and Automatically install is available via Settings > Privacy & Security. The design goal is clear: shrink the time between discovery and protection without waiting for users to take action. None of this alters the high-end threat landscape that makes iPhones such valuable targets.
Apple describes these incidents as “mercenary spyware” campaigns aimed at a very small number of individuals, and notes it has sent such alerts “multiple times a year” since 2021, notifying users in “over 150 countries” in total, according to Apple’s threat notification guidance. Research outside Apple also shows how the commercial spyware market sustains itself by repeatedly sourcing new zero-days. The underlying tension is now visible: Apple can ship fixes quickly, but it cannot force adoption quickly. Insofar as iOS upgrades remain optional in practice and undesirable for a meaningful slice of users security becomes a feature that exists, but does not fully apply.
