Some of the issues are due to the bad use of open source code as well
I've found many devices built on open source code, but still using old, buggy one even when updates and fixed were available - but sometimes they use "abandoned" ones and never spent the time to change the code to use a different one.
It looks developers never mined to updated it, probably because the old "it works, don't touch it" rule is still in use. Often, the same handful of libraries are used across a wide range of devices even of different vendors, meaning a flaw will have a large impact.