True, but generally either those bugs have been patched and the scripts only effect older versions, the disclosure was done on the darknet rather than publically (so the developers aren't aware of the issue) or it was disclosed to the company first then publicly and the developers have decided it was't a big enough issue to be worth patching.
Public disclosure of a bug is a pretty small proportion of automated scripts, which tend to favour detecting and exploiting known existing bugs which just might not have had the patches installed yet and using that to get access to the server, and an internal IP for the network to access other systems (like the Sony server hacks back when Geohot was sued, the boxes used for entry hadn't been patched in years despite fixes for the bugs the hackers exploited having been released for some time)
Biting the hand that feeds IT
