The Patch Gap: Why Millions of iPhones Will Remain Vulnerable for Months

Roughly 350 million active iPhones will still be running unpatched software 90 days after Apple releases a critical security update. That is not a projection based on worst-case behavior. It is what the adoption data shows, cycle after cycle, update after update. Apple's installed base now exceeds 1.5 billion active iPhones worldwide, according to analyst estimates. Historical adoption rates tell us that even the most urgent security patches reach only 70 to 80 percent of eligible devices within two months. The remaining 20 to 30 percent lingers for months. Some devices never update at all. When the vulnerability in question is DarkSword, a fully weaponized exploit chain now freely available on GitHub, every day in that gap is a day of exposure at scale.

The Number Apple Does Not Advertise

Apple publishes iOS version adoption data selectively and has made it progressively harder to find. The figures now appear primarily on Apple's developer resources portal rather than in more publicly visible locations, where they receive less scrutiny.

The numbers that do surface paint a consistent picture. When iOS 17 launched in September 2023, Apple's data showed 76 percent adoption among iPhones introduced in the previous four years by February 2024, five months after release. Among all active iPhones, the figure was lower: 66 percent. That gap matters. It means roughly 500 million iPhones were still running iOS 16 or older half a year after launch. iOS 16, for comparison, had reached 81 percent adoption across all active iPhones by June 2023 and 90 percent among devices from the previous four years. The persistent gap between those two measurements reflects the long tail of older hardware that drags adoption downward.

Security point releases like iOS 26.3.1 move faster than major version updates because they are smaller downloads and do not change the user interface. But faster is relative. Industry tracking from firms like Mixpanel and Statcounter consistently suggests that even critical security patches take weeks to reach a majority of compatible devices. The final 10 to 20 percent moves glacially, if it moves at all. Each percentage point in that tail represents approximately 15 million active iPhones.

The Anatomy of the Patch Gap

The delay between Apple shipping a fix and users actually running it has multiple layers, each adding days or weeks to the exposure window.

The simplest layer is human behavior. Apple now enables automatic updates by default on current iOS versions, building on a feature first introduced with iOS 12 in 2018. But the system waits for the device to be connected to Wi-Fi and plugged into a charger overnight. Users who charge at their desk during the day or rely on mobile data may not meet those conditions for days. Others actively disable automatic updates, preferring to control when changes arrive. Apple does not publish what percentage of users disable the feature, and no reliable third-party data exists to quantify it precisely.

The second layer is institutional. Enterprises running Mobile Device Management platforms like Jamf, Microsoft Intune, or VMware Workspace ONE can defer iOS updates by policy. Many do. The Jamf Security 360 report found that 40 percent of mobile users in enterprise environments were running a device with known vulnerabilities. These are not forgotten devices. They are deliberately held back while IT departments test the new software against internal applications.

The third layer is regulatory. Healthcare organizations operating under HIPAA conduct validation testing before deploying new OS versions to devices that handle patient data. Financial institutions subject to SOX compliance run similar reviews. Government agencies face their own certification processes. Each of these adds 30 to 90 days to the patch timeline, and sometimes more.

Who Cannot Update at All

Beyond the patch gap for devices that can be updated, there is a harder category: devices that will never receive the fix.

iOS 26 requires an iPhone 11 or newer, meaning a minimum of the A13 Bionic chip. Apple dropped support for the iPhone XS, XS Max, and XR with this release. Those devices, built around the A12 Bionic, can run iOS 18 but not iOS 26. Apple has continued to release security patches for the iOS 18.7.x branch, including iOS 18.7.3 and iOS 18.7.6, which address some DarkSword vulnerabilities. The iPhone 8, 8 Plus, and X stopped receiving updates even earlier, with iOS 16 as their end of the line.

Estimating how many of these devices remain active is imprecise, but not impossible. Apple sold approximately 217 million iPhones in 2018, the year the XS and XR shipped. Device replacement cycles have lengthened in recent years, with the average iPhone now in use for over three years. A conservative estimate puts 100 to 150 million active iPhones worldwide that cannot run iOS 26.

Apple sometimes backports critical security fixes to older iOS branches. It did so for the DarkSword vulnerabilities, releasing iOS 18.7.3, iOS 16.7.15, and iOS 15.8.7 in March 2026. But the coverage is inconsistent across vulnerability types. Apple patched a WebKit zero-day in iOS 15.7.5 in April 2023 and an actively exploited kernel vulnerability in iOS 16.7.1 in October 2023. The DarkSword exploit chain targets six vulnerabilities across multiple system layers. Backporting a partial fix leaves some attack vectors open.

For users stuck on iOS 18 or earlier, the options are limited. They can enable Lockdown Mode, which Apple introduced in iOS 16 to reduce the attack surface for high-risk users. Lockdown Mode disables certain WebKit features, blocks most message attachments, and restricts other potential entry points. It is effective but makes the phone noticeably less functional. Most ordinary users do not know it exists, and those who do rarely enable it for daily use.

The Adoption Curve in Numbers

iOS adoption follows a predictable curve that has remained remarkably stable across releases, even as Apple has introduced faster patching mechanisms.

In the first days after a security update, a relatively small share of eligible devices installs it. These are the enthusiasts and the automatic-update users whose devices happen to meet the charging and Wi-Fi conditions on the first night. By the end of the first week, adoption typically reaches 25 to 35 percent. The two-week mark shows 45 to 55 percent. After 30 days, the curve flattens, sitting at 60 to 70 percent. By 60 days, it reaches 75 to 85 percent. The remaining devices update sporadically over the following months, with a stubborn residue of 5 to 10 percent that never updates within the current major version cycle.

Applied to the DarkSword patch: if iOS 26.3.1 follows historical patterns, approximately 750 million iPhones will have the fix within two weeks. That is the good news. The less comfortable fact is that a comparable number will not. After two months, roughly 200 to 300 million devices will still lack the patch. After six months, 100 to 150 million eligible devices will remain unpatched, plus the 100 to 150 million that cannot update at all.

Those are not hypothetical users in a spreadsheet. They are phones that check email, access bank accounts, store photographs, and connect to corporate networks. Each one is a potential target for an exploit chain that, until March 2026, cost well over a million dollars to acquire. It now costs nothing.

Enterprise: The Slowest Lane

The irony of enterprise patching is that the organizations with the most sensitive data are often the slowest to deploy fixes.

Large corporations and government agencies use MDM platforms to control their device fleets. These systems offer granular control over which software versions are permitted. In theory, that control should accelerate security patches. In practice, it often does the opposite. IT departments enforce waiting periods of 14 to 30 days as standard policy, allowing time to test the update against proprietary applications and internal systems. A compatibility issue that breaks an electronic health records app or a trading platform can cause more immediate operational damage than the theoretical risk of an unpatched vulnerability.

The Cybersecurity and Infrastructure Security Agency publishes Binding Operational Directives that set patching timelines for federal agencies. BOD 22-01 requires agencies to remediate known exploited vulnerabilities within two weeks of a vulnerability appearing in CISA's KEV catalog. Compliance is not universal. A 2024 Government Accountability Office high-risk series report found that hundreds of cybersecurity recommendations to federal agencies remained unimplemented, highlighting persistent gaps in the government's ability to secure its systems.

Private-sector enterprises face no such binding requirements. Some patch within days. Others run formal change-control processes that push the timeline to 60 or 90 days. For an iPhone fleet of 50,000 devices at a large bank, a 60-day patch delay means 60 days during which every one of those devices is vulnerable to a publicly available exploit chain.

What DarkSword Changes About the Math

The patch gap has existed since the first iPhone software update in 2007. What makes it newly dangerous is the economics of exploitation.

Before DarkSword, the gap was an abstract risk. iOS zero-day exploit chains were rare, expensive, and controlled. Zerodium's public acquisition program has listed prices of up to 2.5 million dollars for a full iOS zero-click exploit chain. NSO Group reportedly charged governments around 7 million dollars for Pegasus deployments targeting up to 15 devices. At those prices, the attackers were nation-states and intelligence agencies targeting specific individuals. Journalists, dissidents, politicians. The total number of confirmed Pegasus targets was in the low thousands globally.

The traditional threat model for iOS security patches assumed this economic reality. If only state actors with million-dollar budgets could exploit a vulnerability, then a patch gap of a few weeks was an acceptable risk for ordinary users. The probability that a nation-state would target a random iPhone user was negligible.

DarkSword collapsed that model. When a full exploit chain is available on GitHub at zero cost, the attacker pool expands from intelligence agencies to criminal groups, harassment campaigns, corporate espionage operations, and opportunistic attackers running automated scanning. The patch gap is no longer a theoretical exposure for ordinary users. It is a practical one.

Apple's Mitigation Toolkit

Apple has invested in mechanisms designed to narrow the patch gap. The most significant is Rapid Security Responses, introduced with iOS 16.4.1 in May 2023.

Rapid Security Responses are smaller than full iOS updates, typically a few hundred megabytes rather than several gigabytes. They install faster and require only a brief reboot. Apple can push them between regular software updates, targeting specific vulnerability classes without the full regression testing cycle of a point release. The system downloads and prepares the update silently, then applies it during the next lock-screen idle period.

The limitation is scope. Rapid Security Responses can patch WebKit and certain userspace components, but they cannot modify the kernel or low-level system components. DarkSword's exploit chain targets six vulnerabilities across multiple system layers, including a PAC bypass in dyld and sandbox escapes via the GPU process. A Rapid Security Response could potentially close the initial WebKit entry point, blocking the first stage of the chain, but a full iOS update is required to address all the exploited components.

Lockdown Mode remains the strongest individual mitigation. It disables JIT compilation in Safari's WebKit engine, blocks most message attachment types, and restricts incoming FaceTime calls from people the user has not previously called. Security researchers have confirmed that Lockdown Mode would block DarkSword's initial attack vector, the crafted webpage that triggers the WebKit vulnerability. The feature is available on any iPhone running iOS 16 or later. But Apple positions it as a measure for people facing "extreme, targeted threats" rather than a general recommendation, and adoption among ordinary users is minimal.

Apple's bug bounty program, which offers up to 2 million dollars for a zero-click kernel-level exploit chain with persistence, was designed to incentivize responsible disclosure over public dumping. DarkSword's appearance on GitHub suggests that incentive structure did not work in this case. Whether the developer ever submitted the chain to Apple's program is unknown.

The Comparison Apple Wants to Avoid

The Android ecosystem provides a useful reference point, though not the one Apple would prefer.

Android version fragmentation remains severe. As of early 2026, Android 15 holds roughly 20 percent of the active device base, while the latest Android 16 sits at about 7.5 percent. Monthly security patches, which Google has delivered since 2015, reach Samsung flagships and Google Pixel devices within weeks but take months to arrive on mid-range and budget devices from other manufacturers. Some Android phones never receive security updates beyond their first year of sale. By every metric, Android's fragmentation problem is worse than iOS's patch gap.

But that comparison flatters Apple without answering the harder question. Apple controls both the hardware and the software for every iPhone in existence. No other smartphone manufacturer has that level of vertical integration. Apple decides when updates ship, how they are delivered, and which devices receive them. The company could, in theory, force-push a critical security update to every compatible device within 48 hours, overriding user deferral settings for vulnerabilities of sufficient severity.

It does not do this. Apple's current approach respects user choice on update timing, prioritizes device stability over speed, and accepts the resulting patch gap as an engineering tradeoff. That tradeoff was defensible when the threat was theoretical. With a free, weaponized exploit chain in public circulation, the calculus deserves revisiting.

Apple patched the core DarkSword vulnerabilities in iOS 26.3, released in February 2026, and published an advisory urging users to update on March 21. By the time 90 percent of eligible devices have installed the fix, the calendar will likely read June. For the 100 to 150 million iPhones that will never receive iOS 26, there is no calendar date at all. The patch exists. The gap remains.