I used to worry about malware.
I don't any more. It has just become part of the fear campaign to sell more stuff. Apple does security theatre. It is BS.
In 2008 (?), I had a fully patched, always day 0 updated, XP machine killed by a virus. At a dodgy website, the virus instantly walked directly through my browser and ate my hard drive. That drive was completely unsalvageable. It was the only time a virus, of which I have had quite a few, beat me. I fought that damn virus for a month, finally gave up and tossed the whole machine in the trash. It was old anyway, I think I built it in 2001. Being perfectly updated did nothing.
Everything on iOS is supposedly sandboxed. If there are flaws in that, oh well. I could care less. Every government and corporation and their mother's in laws are watching everything I do anyway, I don't care if some different criminals are watching me through my devices too.
My online purchases and banking are all insured one way or another. If there are fraudulent charges, they get reversed. If someone gets into my bank accounts and steals it all, that gets reversed too. So it is of no real consequence to anyone, including the banks that just "print" up some new digits to cover theft losses.
What IS of consequence, is if I update, my device is immediately degraded, permanently. I can't just reverse the charge. Screw that.
I'm done playing Apple's little games.
Never update.