Vulnerabilities do not translate to EXPLOITS, fuzzy. There is a big difference. Look for the actual exploits.
There are several million actual exploits in the wild on Android and the number that have broken into the wild on iOS are countable on the fingers of ONE HAND.
The real problem with Android is security updating and OS updating.
iOS users are typically running the latest update. In fact, right now, over 75% of Apple iOS users are on iOS 11. That means the iOS users are patched to the latest and greatest security available. . . and fewer than 5% on running an iOS version lower than iOS 10.
On the other hand, Android users are not. Android, not so much. Less than 5% of Android users are on Android 8, Oreo, and in fact only half a percent are on Android 8.1, the latest version. The vast majority of Android users are on Android 6 and 7, but 23% are still on Android 5! Almost 16% are on Android versions lower than that! How can these users be kept up-to-date on security to protect them from malware, much less patch vulnerabilities, Fuzzy?
Unfortunately, most device manufacturers not named Apple pretty much abandon their devices after the sale. I had an HTC handset on AT&T that never received a single update. HTC makes great stuff that's built like a tank, but what's the point of building a phone that will last 5 or more years if you don't provide support? With many if not most Android devices, you probably get 1 update, then you are "end of life". They give cute names to the new OS, cookies, candy, whatever, and tell you of cool new "must have" features, but to get them you either have to buy a new device or root the one you own and DIY, if there is a way to do it at all. Meanwhile, my almost 5 year old iPad Air just updated to IOS 11.3. Same generation tablet from Samsung (Tab 3) would still have outdated 4.2.x or 4.4.x OS.
Just because you’re on an older version of Android does not mean that you’ve not received security updates. What is labeled as “malware” also matters, often just apps that have requested permissions that the user GRANTED. So what you’re calling exploits is skewed.
Things like SE-Linux and dm-verity go a long way. I’ve never had a problem in many years of use, you just have to understand what you’re installing and what it is asking for. I’m on security mailing lists for multiple OS’s and the bottom line is, don’t be lured into a false sense of security with any one of them. iOS is not special.