All of those hoops are removed if the app is signed by an Apple 'enterprise deployment' certificate. Someone anyone can get just by asking.
No, those are all the hoops you have to go through to accept the "enterprise deployment" certificate profile the first time, then accept the app launching the first time. Also, the phone needs to be unlocked to accept any of these dialogs.
But then Apple can just revoke the cert (which it did for WireLurker) and blacklist the malware on the Mac side (which it also did for WireLurker).