It's ironic that it's still unpatched vulnerabilities that catch users and corporations out. And we've seen these on an ongoing basis even with the likes of Cisco, Microsoft, and all the big names. These known exploits lie unpatched often for very long periods as end users and admins don't run patch updates.
Mobile phones are probably worse as they stop receiving updates after relatively short periods of 2 years or more. So even shutting down your phone after each time you use it, the chances are you are not getting all the security patches and updates you should be receiving. Average users just have to go with what they've got, and it all depends on the state of your data at rest on the phone after it is unlocked and in use. Most users want speed and convenience and those are at odds with greater security.
See How law enforcement gets around your smartphone’s encryption
Openings provided by iOS and Android security are there for those with the right tools.