It happens all the time, and its as easy as sending a phone a text, or a packet, or escaping a sandbox, but you'll rarely be aware of it when you're infected because unlike the old days where malware would fill your screen with ads or something today they just silently collect your data or use your internet connection for careful port scans or DDoS attacks. NSO Group spyware (or similar) could be on your phone right now.
Hell, cellphones these days ship with spyware pre-installed. Samsung being the one of the worst for filling their phones with their own apps which spy on you constantly.
No nation state actor is going to waste a 0day on a random nobody. Even the recent Notepad++ exploit was only used against specific political targets. Any actor smart enough to be able to have an arsenal of 0days at their disposal is also smart enough to use them only where they are worthwhile because they will only get to do it once.
Believing you are more under threat from sophisticated government hackers rather than unsecured IOT devices, unvetted npm packages or hijacked download links is just LARPing for people who want to sound more important than they actually are IMO.
We've seen examples of phones being hacked which belonged to journalists, producers, editors, activists, staffers at NGOs, lawyers, security researchers, doctors, CEOs, HNWIs, government workers, and even their families and friends. You can bet there are people here on this site which would easily be considered valuable enough targets and because the people those targets associate with are also being hacked you can bet that there are lot of "random nobodies" caught up in it. It's also not just governments using attacks on cell phones, those just tend to be the most dangerous.