In reality, Apple has been reacting to and fixing new exploits all the time, with NSO Group (and others) successfully finding new ones to replace those that got patched.

For instance, the main class of NSO-related attacks has been via the Messages app and related frameworks, which were relatively poorly designed in terms of their original security architecture. Apple has since 2016 substantially hardened those subsystems, including with a new 'BlastDoor' isolation layer specifically for Messages in iOS 14. That closed off entire classes of exploits, but is clearly not perfect.