I know for a fact most people click every link they receive, or I wouldn't get so much mandatory security training at work, so if millions of people are just walking around after downloading random PDFs and word documents from their email onto their phone, what does this mean?
I don't think I have ever updated a phone app and thought "wow this is an improvement I sure am glad I updated"
exactly! I'm not saying people are wrong not to update, but if given the option many won't because of mostly valid reasons like that. free/open source apps tend to be better in this regard, generally security fixes will be backported to old versions for the lifetime of the OS, rather than forcing everyone to update to the latest version to get the security fixes. More recent developments like rolling release distros and flatpak, snap, etc. are moving away from this though... (for both good and bad reasons). But at least if it's open source there will always be the option of backporting the security fix, proprietary apps don't even give you (or the community at large) the option