We still don't know exactly how the hacking into the iCloud accounts of celebrities happened. One of the reasons for that is that the accounts may have been hacked in different ways, making it hard to pinpoint a single method. Some of the actresses may have had their iCloud passwords brute forced directly (which is what Apple claims) and others may have had their Dropbox password stolen, and then the hackers used those to either get the photos from Dropbox or log into the Cloud accounts. Others may have had weak security questions that were easily guessed and then used to get access to the accounts, and so on.
One scary method that seems to still be working, according to some hackers, is using forensics tools like the ones the police use all the time to hack into phones (with or without a warrant, although a recent Court ruling said the police need a warrant to do it).
This brings us to something authorities have supported for years: the idea that if you can only give back doors or vulnerabilities to the "good guys", then everything will be fine. But time and time again we learn that these very same vulnerabilities or back doors can and will be used by the "bad guys", too. If there's an open door in a house, that's "meant for the good guys", there's nothing stopping the bad guys from finding it and entering the house, too. It's the same with software.
One piece of software that's being sold by a Russian company to government agencies all over the world as a forensics tool is called the Elcomsoft Phone Password Breaker (EPPB). Forensics tools are typically used when the device is already in the possession of the people doing the data extraction, but EPPB seems to be able to extract all the data from an iOS device remotely by impersonating the device itself, as long as an interested party already has the user's iCloud credentials.
EPPB is not the only forensics tools out there that can obtain data from iOS devices. One from Oxygen, for example, promised to take advantage of the recently discovered "iOS back doors," just weeks after the flaws were revealed. The tool could obtain data such as SMS, pictures and videos, but also instant messages from other third-party apps.
If Apple is serious about the security of its users, it will need to close any loopholes in its software and operating systems. In order to do this, Apple will need to pay much closer attention to companies offering such forensics tools and try to make those tools obsolete as soon as possible, noting well the "features" they offer for cracking iOS devices. This way Apple can make sure another major hack of iCloud accounts or iOS devices is much less likely to happen in the future, but the same strategy can also stop many other, perhaps less popular, attacks against regular (that is, non-celebrity) individuals.
Devices or services can never be 100 percent secure, and it's true that often the user bears some fault for using weak security, but Apple can also be more proactive about protecting its users.