While there have been remote exploits against exposed management ports, the vast majority of compromised Mikrotik devices are caused by insecure configurations by users. Mikrotik is huge in the smaller ISP world and especially in developing countries due to the low cost, but those users are not always the most security conscious.
The linked article from Microsoft goes into some detail about the vulnerability in Mikrotik that was being used, and there are many other examples of this happening. Weak creds are also an issue, but their software is pretty buggy from a security standpoint. If you run Mikrotik gear exposed to the public internet, I hope you have good logging and are keeping a sharp eye on it.
Now hang on, the linked article mentions how a Mikrotik with compromised creds can be used as a C2 (as can most routers), and goes on to list the primary methods of compromise:
Default creds (configuration issue)
Common creds via bruteforce (configuration issue)
Exploit of CVE-2018-14847 (4 year old patched vulnerability).
All of the methods mentioned require local network access in a default configuration. None of these are issues from the public internet.
If you have lateral movement within most networks, you're already likely to have the ability to route and disguise traffic and use the network as a relay point.
I am interested to read of your "many other examples". I'm yet to see a serious network gear vendor without big vulnerabilities to their name. From memory, Cisco had about 4 backdoor root accounts found and CVE'd in 2018 alone.
My exposure to Mikrotik is that you need to download some windows executable to speak some bespoke protocol to perform configuration of the device (specifically for RouterOS)? Is that true?
I've got some of their switches running SwitchOS, which is great, but my minute exposure to winbox has thoroughly put me off anything that uses RouterOS.
You can do everything through web interface called "WebFig" (or even SSH console), but honestly Winbox MDI is much more convenient. I think only Winbox-exclusive feature is connecting through Ethernet packets (without IP).
(1) SSH into you box for shell and use the command line interface
(2) Use the comprehensive web interface
(3) use the shell tool in the web interface
(4) use wine to run the client