Didn't Bezos' phone get hacked through a WhatsApp message? I know they're not talking operational comms, but how confident are we these two apps are exploit-free?
No application is exploit free. Freedom from basic framework- and language-level vulnerabilities is not an option with any modern messaging protocol, secure or not.
> but how confident are we these two apps are exploit-free?
We aren't. Exploits are found in decades old software that we once believed was relatively well vetted, and in Signals case their desktop app for example had a rather nasty XSS about 14 months ago or so: https://www.cvedetails.com/cve/CVE-2018-11101/
That doesn't meen there isn't a huge difference between Signal and everyone else:
WhatsApp keeps on uploading unencrypted backups to places where it is know to be within reach of NSA, so if NSA is in your threat model, forget about WhatsApp. They have also been sloppy when it comes to accepting remote client swaps, and they've also had at least one nasty vulnerability.
Telegram, AFAIK, has managed to annoy most leading cryptographers so they don't care to put much effort into verifying it it seems.
