For me, there's a whole load of things wrong with this article.
First, people need to understand what a SAP router is. It is a piece of software which is designed to let SAP connect to your systems for support purposes. There are 85k SAP customers running these sorts of systems and most have several SAP routers. I'd expect there are around 250k SAP routers around the world.
Then you have to understand that SAP routers are designed to provide connectivity information for what SAP system to connect to - hence the word "router". They are also a primitive firewall and herein lies the problem because lazy administrators use them as a router and firewall and expose them to the internet.
This is stupid and irresponsible and a huge business risk to an organization. SAP routers do not provide protection and you need to use proper routers and firewalls. This is well documented and there are design guides for SAP routers that explain all this.
As the guy below says, those lazy administrators (3% of SAP routers) should be fired.
Then let's cover off the SAP systems that are out there. There are, as I said, around 85k ERP customers, most of which have many SAP systems. It's not unusual for larger customers to have hundreds, and this means that there are millions of SAP systems out there, and many different versions and patch levels.
SAP do of course release security fixes but the code base is huge and there are relatively few penetrations. I worked with a SAP defense customer some years back and they said they broke the SAP security protocol in 15 minutes. I looked worried and they said "Oh don't worry, 15 minutes is actually pretty good, your competitor took 30 seconds. We just have some rather good hackers".
But what this means is that the SAP stack has been poked at by some pretty good white hat hackers. The problem is that many customers don't apply fixes to server operating systems, databases or application layers, leaving all of them open to security flaws. As usual, this is the real risk.
What I really don't like about this article is that it gives a security vendor a load of publicity, when they have totally failed to understand the security threat and helped customers address it. This is the point of security advisory services and they have totally failed.