The real question is why is Apple allowed to lie about providing meaningful protection against state actors when they only think it only costs 2M $ to break it. In no universe is 1/5 the cost of a tank even a road bump for a state actor.

The other question is why is their security so terrible. The short answer is that they demonstrably know nothing about security since this is the most they have been able to do after decades of work, billions of dollars, and repeated promises of meaningful security. When somebody spends billions of dollars and decades failing to achieve even 1/10th of what they promised, you should take any new statements as extraordinary claims and demand extraordinary evidence.

It's not like anyone has been doing any better. Mobile phones are embedded devices targeted to everyday consumers, basically toys. They've never been engineered for anything like meaningful security against even mildly sophisticated attacks. The industry simply doesn't care about this, e.g. most phone SoC's are still not protected against misbehavior by any of the included devices, each of which is running some unknown proprietary firmware. That's just par for the course in the embedded ecosystem.

Apple marketing claims it provides meaningful protection against state actors. Apple engineering says it does not. Even if nobody can do it, even if Apple is closer than anybody else, that does not excuse lying to people who are betting their lives on Apple’s representations that it works.

Apple can not protect against state actors. Apple knows that. If you are at risk, the only safe thing to do is avoid Apple (and all other smartphones). Apple knows that. They lie and insinuate that a iPhone is fit for this task so they can sell a few more iPhones caring not a single bit for the lives at risk. That is grossly unethical. Yet, it is par for the course in “cybersecurity”. That does not make it acceptable, that just means everything is rotten.