I would have expected Apple to catch that on review. That was a egregious failure and betrayal of trust on their part. I wonder if they took any responsibility for the consequences of their error.

I'd agree if you wrote that most users don't understand security at all, that users aren't really given the tools they need to maintain security, or that exploits are designed to target people's vulnerabilities. You seem to be blaming the victims of motivated (sometimes) advanced actors. Even serious engineers have been phished for NPM publishing access.