In a nutshell: Apple has pushed out an important security fix for iPhones, iPads, Apple Watch, and Macs to address a memory corruption bug with the company's WebKit browser engine. Left unpatched, these devices run the risk of being exposed to malicious web content that could lead to arbitrary code execution.
While many iPhone users would have expected a feature-focused iOS 14.5 update to drop - and discover that they won't be able to change the default music player after all - Apple has instead released an important security fix with the latest iOS/iPadOS 14.4.1, watchOS 7.3.2, and macOS Big Sur 11.2.3 patch.
In the patch notes, Apple describes the vulnerability (CVE-2021-1844) as a memory corruption issue in its WebKit browser engine that would have let malicious websites run code on its devices. The loophole was brought to Cupertino's attention by security researchers from Google and Microsoft.
The fix has been pushed out for devices including the iPhone (6s and up), iPads (Mini 4, Air 2 and up), the iPod touch (7th generation), the Apple Watch (Series 3 and up), and PCs running macOS Big Sur. This point release is a relatively small 144MB for Apple's mobile devices (if you're already on iOS/iPadOS 14.4) and can vary in size depending on your Mac model and Big Sur OS version.
It's currently unknown if the WebKit vulnerability was being actively exploited in the wild, though Apple unexpectedly releasing a security update should be a good enough reason for users to patch their devices.