I'm sure even 99.99% of current Apple employees couldn't digitally sign an iOS update with the legitimate key. I'll bet that signing takes place in a locked room only a few people have access to - bring in a USB drive containing the unsigned OS, plug it in along with one of several identical USB keys containing the signing key that NEVER leave the room to a Mac in that room that's not connected to any network, click a button to sign the OS. I'll bet they require another person present while this happens to insure they don't make a copy of the signing key or sign anything other than what they are supposed to be signing.
Considering the potential cost to Apple if that signing key escaped (i.e. billions) I'm sure they have a very good process for keeping it secure and the number of people who will ever touch a device that has the actual key on it is in the single digits.