Well they do test it. The Windriver stack is subject to both Achilles test (DoS and stack fuzzing) and Nessus tests, as well as Coverity static analysis tests. What happened is that they went to another outfit to further test the stack and this outfit came up with the 11 vulnerabilities several months ago that have just been publically disclosed.
So here's how it worked:
Our industrial controller uses vxWorks and we were notified of the vulnerabilities under NDA on 26th June. Along with the notification Windriver supplied us with the patches to the OS to fix the vulnerabilities, and provided a test harness to confirm that the patches were correctly implemented on our product. This gave us over a month to pull the patches in, rebuild the versions of our product that were affected and retest the network part of the stack. It was tight but we managed it. It should also be noted that Windriver provides its OS in source code form (who doesn't?) so we could inspect the patches and make our own conclusions and tests.
And yes, vxWorks has built in security features .. although I suspect that many product builders wouldn't include the firewall component that Windriver supply as a component of the OS. 4 of the vulnerabilities can be mitigated by applying firewall rules.