Yes. It likely that the reporters don't understand the technology involved, so their reporting on that topic is pretty vague. Humans tend to look where there's light, even if they know that't not the most likely place to find it. That said we have the words exploit, imessage, full access, email/phone number. We can piece together that they use a 'buffer overrun' style exploit to break out of iMessage, and and possibly several other exploits, till they have remote code execution on the device, and then they install a bot/server to collect data. Really difficult in practice, but a familiar pattern. IIRC there's a Wired article recently that reviews similar tech from another company, the author of that article says he sets his phone down in their office, and minutes later they have access to all his data.