That is true today, but back in 2005 when the Xbox 360 launched we didn't have every government buying up security vulnerabilities by the truckload. The market for zero-days didn't really get established until the early 2010s when the 360 was on its way out. Every contemporary competitor to the Xbox 360 got hacked within its commercial lifespan, due to having comically awful security practices. Microsoft certainly was, at the time, 'better' than Sony or Nintendo; but the task they were doing was just plain impossible.

A game console is, effectively, a Point of Presence[0] for a DRM vendor. It's job is to tie the owner's hands so that they don't copy games, and that they don't buy games from competing companies. This is an incredibly difficult, if not impossible task. In contrast, while the iPhone's security also does DRM and developer lockout; their main concern is keeping you from getting hacked by nation states. Those are certainly more sophisticated and well-financed attackers; but they (usually) don't have physical access to or ownership over what you're trying to protect.

[0] In telecom, a PoP is the dividing line between your systems and someone else's. If that sounds really arbitrary, it's because that's how they untangled the Bell monopoly.

I mean, people definitely were doing zero day research before 2010.