This bug could easily affect versions before iOS 10.3. It was reported to Broadcom in December, therefore was discovered before iOS 10.3's first beta was released. The initial report may have been for Android devices, and it isn't clear when it was discovered to also affect iOS devices. The blog post from Google Project Zero says that the Broadcom chipset in question has been used since the iPhone 4, therefore it might affect versions as far back as iOS 4 on new enough models (iPhone 4 or later, all iPads, recent iPod Touch).
The question is when the "Fast BSS Transition" feature with the bug was implemented on iOS: if Apple didn't implement it until a later iOS version, then earlier versions might be safe.
This needs testing with the demo exploit to confirm which iOS versions are affected.
For now, I'd assume all recent iOS versions are potentially affected, therefore all devices able to update to iOS 10.3.1 should do so, but it isn't urgent yet as the exploit hasn't been available for long.
Devices which can't upgrade to iOS 10 might be vulnerable; if so they are unlikely to get a fix unless Apple decides to do a "late" security update for iOS 9 (an iOS 7 fix for the iPhone 4 is even less likely).
Thanks for the details, David! Sounds like this will be a real reason to move to 10.3.1 sooner rather than later for those devices that can do it.
Adam et al -- Dis you mean a reason to move from 10.3 to 10.3.1 or to move from 10.2.n up a notch (after a full backup, of course)?
We haven't been hearing of problems with 10.3, so yes, I think it's safe to update now and take advantage of 10.3.1's security fix.