Comment by ivraatiems

How likely is it that the attacker, who now has all of their source code, has already identified several additional vulnerabilities they can use? Seems pretty likely to me.

I don't think advertisers, payment providers, service providers, or hardware vendors told 4chan what version of OpenBSD to run or how often to update packages. Those are tasks that require time and effort, yes, but they're not herculean. They could have been done. I think laziness and disinterest are the more likely reasons.