You're assuming that all security issues are obvious known ahead of time, and that's clearly not true. You can't compare your average remote code execution vulnerability with a speed limit. Speed limits are posted; RCEs typically aren't as clearly documented ;)
I'm assuming that a hundred million users aren't made vulnerable by sheer wizardry. In all of the cases that the original article listed, I'd bet my salary that there was oversight in terms of the critical components or the architecture. RCE should not be enough to make that kind of dent, there should be more security there.
