Apparently devs can't anticipate attack events and they all prefer to stuff a hole after it becomes a real-world problem instead of killing the flaw beforehand.