Actually hacking an Apple mobile device is actually extraordinarily difficult to do, and to date, no credible account of any remote hacking of a device has been reported.
Hacking your AppleID is a different issue, especially if you don’t use 2 factor authentication, and only use a password. Especially so if you use easily guessed or brute force hacked passwords.
Once someone has compromised your AppleID, then can even restore a device they have with your own iCloud backup, alter things in your backup and put it back in iCloud. If you restore from that altered backup, then yes they can add spyware, key loggers and so forth to your device. And they don’t even need to pay anyone for that - there are open source and commercial apps that will allow one to spy on someone via their iPhone or iPad if the person using the app knows their victims AppleID and can use it just as their victim normally uses their AppleID. If the AppleID is compromised, it’s really quite easy to wreak havoc on someone’s devices and privacy.
But the key was gaining access to your AppleID so they could login to iCloud as you.
If you use a strong AppleID password, enable 2 FA, and keep your trusted devices and contact numbers private, it is extraordinarily difficult for anyone to compromise your AppleID.
Thus is precisely a prime reason Apple is requiring 2FA with AppleIDs. Your AppleID is the key to everything you have with regard to your Apple devices. If you don’t keep access to your AppleID secure, then nothing else really matters in terms of whatever devices you own and use.
If you think your Apple ID has been compromised - Apple Support