Back when Chrome was based on WebKit, IIRC Chrome team found and fixed oodles and oodles of bugs in WebKit, because WebKit wasn't even using fuzzing, or not enough fuzzing. Even as late as 2017, fuzzing was still finding significantly more security issues in Safari than other browsers: https://www.securityweek.com/fuzzing-reveals-over-30-web-bro...

Also, when discussing iCloud, you need to distinguish between the backend service, and the frontend service. There have been significant CVEs found in the front-end client. Apple doesn't run many front end Web services, so there's less to exploit. They also don't allow you to host executable code like AWS, Azure, and GCP, so the attack surface is much more confined.

That Google has exposed their infrastructure to the unforgiving nature of the Web for 2 decades, with exploits few and far between, is a testament to the quality of the security engineers.

The most secure device on the planet, isn't iOS, it's Chromebooks. Look at the defense-in-depth used on Chromebooks to isolate execution: https://www.youtube.com/watch?v=pRlh8LX4kQI

> All the "hacks" against iCloud have been social engineering

Which would be a strike against Apple...

> I don't see how users re-using passwords across sites or using weak passwords makes iCloud security a joke.

Logins from new locations is the type of thing other cloud services (like Google or Facebook) protect against by requiring a challenge to proceed even if 2-factor is not enabled.

iCloud only working when the user holds it properly is a very Apple-esque thing, but also still bad. Particularly their 2FA is pretty bad and can be easily bypassed. Because, you know, that good UX flow is preferred to actual security.

> The platform itself has not been hacked

Not true. For example an unintentional backdoor allowed hackers dump all your data from icloud, bypassing the 2-factor authentication.

This was live for 2-3 years before the Hollywood hacks finally made apple to fix it.