The opportunity to add that code to the firmware was closed by Apple last year. Now, the Firmware can no longer be updated or changed by any peripheral plugged into an ethernet, USB, or Thunderbolt port, which is what the CIA's software was designed to do. Even a SuperUser cannot update the firmware without an additional beyond SuperUser passcode to prevent just this kind of scenario and that passcode must be input manually from the keyboard.
Not true. There are two chips in the phone AP (application processor) and BP (baseband processor). BP controls antenna and radio and runs RTOS (real time operation system). BP and AP share memory and BP can inject malicious code BEFORE AP loads OS.
BP can be controlled via fake cell tower installed close to the targetted phone.
Only secure custom phones costing $10K are not vulnerable to radio penetration.