> So I'm not terribly familiar with Bluetooth. Are these something that can be exploited by an unpaired device?
Who knows, someone would need to write an actual exploit for these. Just quickly skim through the Android security bulletins at
https://source.android.com/docs/security/bulletin
and you'll see that every month lots and lots of CVEs are fixed with at least high or even critical severity in various stacks. If you're running a phone that hasn't received updates since August 2023, you can assume that you have dozens of remotely exploitable bugs on your system. The security track record of Android is absolutely terrible.
That phone hacking is not a big thing is simply because it's usually much easier for a hacker to get into the cloud services people use instead through targeted phishing attacks. If that makes you feel safe using a phone without updates, then good for you, but don't claim these updates aren't actually fixing serious bugs every month.
