Is that because Signal is as good or because they refuse to listen to anyone telling them to stop using it? Not a serious question, I know it'll be a decade or three before it can be answered from open sources.
But of course I forgot, it wasn't really even Signal they were using...
That’s more about officials acting illegally avoiding accountability by shielding their communications from their government. (Of course there’s probably a backlog of foreign governments on those devices.)
I can only speculate based on publicly available information.
When a was in grad-school, "state level actors" were the boogeyman. You were told to just assume that everything would be compromised to them.
I ended up specializing in p2p systems (distributed hash tables, overlay networks, communication systems) and "State Level Actors" become "in scope" for me. Modern cryptography is focused on the capabilities of hypothetical computers and making radically more computational power required than is reasonable to expect of current human economies. Backdoors in the codebases for encryption is a fun hypothetical, but the level of scrutiny they are under would require a conspiracy beyond any i could imagine to hide.
Eclipse and Sybil attacks were the real threats. Those are Operational attacks, not Signals.
Now that I have spend a decade in the security industry in larger corporations. "State Level Actors" are entirely in the threat model. We don't talk about it explicitly, but these companies stand to loose globally if any one government compromised them. Government funded actors are assumed to be the primary threat. Supply chain attacks like XZ are the ones that scare us, the ones we might have missed. That came from superiority in operations not technical superiority. They actively pay me and a bunch of other people a LOT of money to actively detect and prevent issues like this.
The other side of the argument is a human organizational one. The story of this decade of military spending is outsourcing. Biden's Supply Chain Security EO and the new DoD software procurement requirements are bandaids on gaping wounds.
Even with it's massive defence spending budget, the TLAs couldn't keep up with the industry while also securing all its software. They have 3rd party dependencies too. Assuming that they don't just allways directly outsource.
And why bother? These companies have the entirety of human communications MITMed. Why bother with a complex secret system when a FISA warrant is cheaper and more efficient. PRISM(For attack) and TOR(For defense) stand out as successes of operational attacks. They don't need technological superiority.
I fully expect TLAs maintain an android fork and linux forks, but that is opsec for dependency management, not adding special sauce. The industry simply has more resources and more eyes on the problem than the government could ever afford.
The last part is simple "Brain Drain". The people who are really good at this generally don't want to work for the government and have done too many drugs to ever get clearance. Unless they have a lot of security engineer salaries in classified budgets they also can't afford us. Governments have direct agents that are underpaid and underskilled and they have working relationships with criminal organizations who work deniable offense for them.
Opsec is clearly their leverage-able resource, why not lean into it almost exclusively?
