It's not clear to me if you're right, but I would rephrase the issue this way:

If there's a vulnerability in Whatsapp, the injected code should only affect Whatsapp.

Otherwise, it's (also) a vulnerability in iOS.

That might be enough for what they are doing. At least it will allow them to spy on whatsapp messages and parts of the system that Whatsapp can access (contacts etc)

Ofcourse the whole point of Whatsapp is secure communications and I guess the exploit makes that pointless.