Sticking with “the average pc” and “the average phone” — I’d say there are more vectors of vulnerability in the wide arrange of sites and programs the average person interacts with on their PC than there is on a phone, as well as a PC being a better target to compromise than someone’s phone.
Happy to be proved wrong but I rarely hear about someone’s phone being randomwared, botnetted, remote accessed etc