Re: Until next time
I would argue that the much bigger problem these days are developers (oh sorry "DevOps") playing systems administrators with Docker and willy-nilly pulling in images done by who-knows-what without any constraints and considering all that smoldering mess fire-and-forget, never bothering to update anything - or indeed even understanding that they need to be updated.
The amount of images pulled in from random individuals is frankly frightening and a disaster waiting to happen. And even in the rare case they do update there's no guarantees that Jimbo in Lower Elbonistan bothers to keep their image updated.
Of course all of it is done with minimal understanding of anything, and why would understanding be necessary: just check from the README what few configuration parameters are needed to make it work and off to production it goes.
(Insert xkcd here about gluing stuff together)
I ran trivy once and there were thousands and thousands of high+ vulns in just one machine...