They probably have around 3-10 other zero-click zero days on hand. And if NSO somehow burns all of their in-house production, the vulnerability brokers I know have a couple tens ready for usage in their inventory for a few million dollars each. This is not even private knowledge; the brokers run legal US incorporated businesses that sell to governments, businesses, and the vendors who make the insecure products such as Microsoft and Apple. Apple knows for a fact that they are delivering products with tens to hundreds of known critical security defects.
Apple does not buy out the zero-days for two reasons: First, you can not buy your way to security. Second, the benefits do not outweigh the costs.
For the first point, it is impossible to buy your way to serious security. Apple currently pays a $1M bounty for a zero-click RCE with persistence [1] and $2M to do the same to Lockdown Mode, around the cost of a single Tomahawk cruise missile. They set this price because it takes around 1-3 engineer-years to find such a security defect, so the bounty is approximately the cost of labor. If they paid $10M, around the cost of a single M1 Abrams tank, they would get a absolute flood of new reports since suddenly the ROI is 10x and the number of security defects detectable at the $10M level is vastly more than at the $1M level. However, to deter countries, you need to get to at least the $100M level, the cost of a single F-16. At the few million dollar level there are already tens to hundreds of known security defects, so at the $100M level there are almost certainly thousands to tens of thousands of vulnerabilities. So, to buy their way to protection against state-funded attackers would cost them trillions to tens of trillions of dollars, if it is even possible at all. Note that literally nobody has ever gotten past the few million dollar range using this strategy, or frankly using any strategy when attempting to retrofit a system not designed for security like iOS or Windows.
For the second point, what does Apple gain by buying the zero-days? People keep buying iPhones no matter how many thousands of security defects get reported. All they have to do is make up new bullshit like Lockdown mode and everybody feels warm and fuzzy inside. The company, that has never once made a product within a factor of 100x of what is needed to protect against state-funded attackers, just makes up a marketing spiel about how they are "totally going to do it this time for sure, pay no attention to our record exclusively consisting of hundreds of failures" and everybody eats it up. We know they do not believe their own marketing fluff because they set the bounty for lockdown mode at $2M, only double the $1M for regular iOS, which is still only 1/5 of a single tank. Do you think a single state-funded attackers will be dissuaded by the price of a fractional tank? It costs more money to start a new McDonalds store. All the companies like Apple, Microsoft, Amazon, Google, Cisco, Crowdstrike, etc. need to do is lie and for some reason everybody keeps believing them for the thousandth time and their sales are protected.
Commercial IT systems are completely and utterly insecure against attacks by moderately funded attackers. If you have operations worth more than $1M or are at the risk of targeted attacks, you are completely, 100%, vulnerable no matter what or how many of these systems you use. If that is not acceptable, then you must not use standard commercial IT systems with connectivity. That is, unfortunately, the only solution that currently works. It is up to you if you think the tradeoff is worth it.
A third reason Apple doesn’t increase their bounties: they don’t need to. There is no secure phone on the market. Your only options are insecure phone (iOS, android, whatever) or no phone at all. So while it might be nice to be able to claim that you’re relatively secure, there’s very little to be gained by spending all of the resources required to buy up all exploits.
Apple does not buy out the zero-days for two reasons: First, you can not buy your way to security. Second, the benefits do not outweigh the costs.
For the first point, it is impossible to buy your way to serious security. Apple currently pays a $1M bounty for a zero-click RCE with persistence [1] and $2M to do the same to Lockdown Mode, around the cost of a single Tomahawk cruise missile. They set this price because it takes around 1-3 engineer-years to find such a security defect, so the bounty is approximately the cost of labor. If they paid $10M, around the cost of a single M1 Abrams tank, they would get a absolute flood of new reports since suddenly the ROI is 10x and the number of security defects detectable at the $10M level is vastly more than at the $1M level. However, to deter countries, you need to get to at least the $100M level, the cost of a single F-16. At the few million dollar level there are already tens to hundreds of known security defects, so at the $100M level there are almost certainly thousands to tens of thousands of vulnerabilities. So, to buy their way to protection against state-funded attackers would cost them trillions to tens of trillions of dollars, if it is even possible at all. Note that literally nobody has ever gotten past the few million dollar range using this strategy, or frankly using any strategy when attempting to retrofit a system not designed for security like iOS or Windows.
For the second point, what does Apple gain by buying the zero-days? People keep buying iPhones no matter how many thousands of security defects get reported. All they have to do is make up new bullshit like Lockdown mode and everybody feels warm and fuzzy inside. The company, that has never once made a product within a factor of 100x of what is needed to protect against state-funded attackers, just makes up a marketing spiel about how they are "totally going to do it this time for sure, pay no attention to our record exclusively consisting of hundreds of failures" and everybody eats it up. We know they do not believe their own marketing fluff because they set the bounty for lockdown mode at $2M, only double the $1M for regular iOS, which is still only 1/5 of a single tank. Do you think a single state-funded attackers will be dissuaded by the price of a fractional tank? It costs more money to start a new McDonalds store. All the companies like Apple, Microsoft, Amazon, Google, Cisco, Crowdstrike, etc. need to do is lie and for some reason everybody keeps believing them for the thousandth time and their sales are protected.
Commercial IT systems are completely and utterly insecure against attacks by moderately funded attackers. If you have operations worth more than $1M or are at the risk of targeted attacks, you are completely, 100%, vulnerable no matter what or how many of these systems you use. If that is not acceptable, then you must not use standard commercial IT systems with connectivity. That is, unfortunately, the only solution that currently works. It is up to you if you think the tradeoff is worth it.
[1] https://security.apple.com/bounty/categories/