It’s not. As a general consumer, if you keep your phone consistently updated, you have very little to worry about. The Pegasus malware toolkit is used by nation-state actors to target individual people. If you’ve gotten to the point where you’re being targeted by nation-state actors, you’ve got much bigger things to worry about than just zero-click malware.

Truthfully, though, there are bad actors around the world consistently working around the clock on spreading malware with as little effort as possible. If you’re able to find a security hole in the latest version of a phone’s operating system, odds are that security flaw will work in previous versions. These security flaws are *not* easy to find, but there’s big money (millions of dollars in some cases) to be made in finding these exploits, especially for bad actors that want to steal money from people.

But, especially on Android, any security flaw can be a really big deal. Companies that make Android phones are responsible for rolling their own updates. Because Android runs on so many devices, each device requires **major** effort to develop an update for. As a result, phones can go on for years without an update even if a security vulnerability is found. Companies that make Android devices, especially budget options, don’t want to spend the money on developing updates for devices, so critical patches just sometimes never get made. This leads to a situation where there are potentially millions of phones running around with a security flaw that will never get patched.