The exploit is in webkit, a library used by both youtube and spider. Youtube actually uses an even older version, in fact. It IS as easy as redirecting traffic. Like I literally just said, the youtube app is prone to MITM attacks. This was figured out like a year ago.
Version detection isn't possible with the youtube app since all versions have the same webkit version (and that doesn't update with system), but it's easy to tell users which link to go to for their system version.
Youtube still isn't a practical entry point since it's not on all devices and requires some mitm stuff rather than being entirely on-device, but I wanted to make it clear that technically there's nothing stopping an exploit from launching through the youtube app.
