Also, in contrast to iPhones, Android traditionally relies a lot more on safe languages like Java and Kotlin (and now Rust). Of course, iOS is improving there as well with Swift.
The issue is that all other Android vendors outside Google Pixel and to some extend Samsung are just terrible when it comes to device security.
Finally, it should be said that iOS was also compromised relatively quickly according to leaked Cellebrite presentations. The only system they could not compromise at the time was GrapheneOS, because they fully use Pixel hardware security features and do a lot of additional mitigations (including many that iOS doesn't use).
Also, any discussion of iOS should come with a fat disclaimer that by default iOS devices have a huge hole: most people use iCloud Backups (and are nudged towards it) without ADP, so their iCloud backups are not end-to-end encrypted and their chats, etc. can be requested by law enforcement. That you yourself use ADP does not really matter if the people you are communicating with don't. Also, Apple manages the key dictionary for iMessage, etc. so they could insert themselves. I would not be surprised if default non-E2E backups are a compromise in the extension of the NSA PRISM program that Apple already participated in before the Snowden leaks.
Of course, Google isn't any better, but just to say that Apple's security/privacy story is selective. Yes, they help protecting against some malicious groups and non-allied states, but they also make sure that US law enforcement (and probably some allied powers) can access most data.
