You'd be surprised; on Windows, at least, there are people who reverse engineer the security patches from Microsoft in order to determine the initial vulnerability[1].
Because there are enough people running Windows who haven't applied the patch that figuring out how to exploit it is a worthwhile undertaking.
Then again, IME of many years as a PostgreSQL DBA, the vast, overwhelming majority of postgres shops aren't running anywhere near the latest release, so depending on how far back this vulnerability goes, there could be a very large number of exploitable targets...
[1] http://www.phreedom.org/presentations/reverse-engineering-an...
Edit: Misinterpreted your post. You're right, it's unlikely that they'll guess where it is until a patch comes out.