Hmm ... not sure what "routinely" would mean, since installing any of this stuff requires physical access to the device. Can you say where you saw that claim? I would think installing any of this modified firmware would be done in a targeted way, or it doesn't strike me as very scalable. Unless of course, it was installed on all Apple devices in the factory or something, which I don't think is the claim.
Just my 2c.
Physical access to devices is very important. At my job (in the tech world) we are constantly reminded by our security people to never leave our devices unattended or accessible, even if they're off or locked. The stuff described here is but one reason why ...
One general observation I have about our normal human reaction to security news like this is that we tend to focus on the exotic (remote exploits, CIA programs, putting tape over our cameras, etc.) a bit more than the basics -- custody of devices, basic account security, password rotation, 2FA, understanding of encryption ... in my experience working with many news organizations, it's these basic things that actually end up causing the actual, real-life sorts of problems in terms of data theft and unauthorized access.