Not sure what you’re meaning? A CVE like this: https://nvd.nist.gov/vuln/detail/CVE-2025-24201 found in 2025 impacts iOS versions before 18.3.1 (Safari and iOS are shipped together).

Which means there is a decent chance an iPad running 9.3.2 is vulnerable.

And there have been thousands of CVEs since 9.3.2. Most of low severity, but not all.

Apple patches anything with a proven exploit. While it may be vulnerable, no one has written and shown Apple an exploit.

Apple patches anything with a proven exploit as long as it’s in a supported version of the OS. E.g. They will not patch versions beyond macos 10.14 i believe, not sure what the cutoff for iOS is but it’s usually about 6 years of security updates. Which means that iOS 9.3.5 is well outside of that and so a bug that impacts that os will not be patched. Which means using an old device like that on the open internet is deeply foolish

My whole point is that what you believe isn't correct. Apple continues to release security updates for "unsupported" versions (let's be careful about terminology, that term is specific and we're both using it), generally for two more years after a version becomes unsupported.

This is in a lot of the reporting about the topic and linked repeatedly in these comments. Please don't repeat false information.

Now you're right that this particular really old version also doesn't get security updates - but boy do I not have that expectation, and I would be surprised if anyone acting in good faith did.