Even if there was no mention of this or the implication that it’s linked to the notifications Apple sends for targeted attacks, is it fair to say this kind of backdated security patch implies a lot about the severity of the vulnerability? What’s Apple’s default time frame for security support?
The full exploit chain seems to target WhatsApp directly using a second bug in WhatsApp; although this vulnerability is definitely present anywhere this kind of image is processed using Apple’s native image support, it would usually be aggressively sandboxed (in iMessage by BlastDoor and in Safari by the web content sandbox), so you’d need a lot more vulnerabilities than those that are currently disclosed to make it useful in those places. A bug in WhatsApp itself is particularly bad in terms of spyware actors, since it leaves one of their most popular targets, WhatsApp, vulnerable without a significantly more complex kernel escalation and sandbox bypass.