Its no surprise they're vulnerable
When these things were designed, nobody thought any customer in their right mind would ever expose them to the Internet.
Then they started going online using good VPNs to firewall.
Anybody who puts this kind of kit out naked on the Internet is clearly asking for trouble - yet it happens.
Although Stuxnet got in by compromising the programming PCs then going the last mile to the SCADA systems via sneakernet, and I don't think there's anything the likes of Siemens et al can really do against that route.