This is like reminding that there are CVSes from 2010. Yes there are. And there are plenty of vulnerable systems.

They decided to not fix the vulns (either directly by not patching, or indirectly by not investing in cybersecurity). So exploiting them is somehow an act of mercy. They may not know they have a problem and they have an opportunity to learn.

Let's just hope they will have white or gray-ish hats teaching the lesson