Zero click exploits are a thing, but they are very expensive and have limited shelf life (once they have been used a few times, they tend to get found out and patched). Most actors won’t use one, unless it is a very, very high value target. It seems that the EU parliament member was not high value enough, and got lucky.
Just to be aware that's a start but it's not a full mitigation. Some of the prominent zeroclick exploits have been "rich content" in messaging products such as whatsapp[1] and imessage[2].
Definitely not an expert but I'm presuming they take advantage of the "helpful" behaviour those apps have to preview content and then pair that with some sort of exploit in the library that parses/displays the content. So say they have an exploit in a jpeg library that whatsapp uses then they send a specially-crafted jpeg via whatsapp, whatsapp "previews" the image and that triggers the exploit to compromise the jpeg library and pwn the user.
