> How complicated is "they knew about the vulnerability for years, never documented it, never warned users, never fixed it" ?
Did you even read the page at the link you gave me?
It was documented. It was an edge case vulnerability that couldn't be made to work over a network. Even if it could, the data theoretically at risk of being exposed wasn't significant payload. It wasn't fixed because it was purely theoretical, not a production vulnerability of any significance.