Cisco isn't exactly making things hard on attackers. Here's a couple of other vulnerabilities that could be used in conjunction with this one: Hardcoded credential vulnerability in IOS-XE (CVE-2018-0150). IOS-XE hasn't been without privledge escalation vulnerabilities either(eg CVE-2019-1754, among others)
Many orgs are unwilling to take a network outage for patching, especially in places like their DCs, internet or WAN edges where many of these devices would be deployed. I'm also aware of companies that are understaffed, where employees don't have the extra cycles to patch or apply workarounds. These are the same places that don't have active cyber security departments (no red-team, no vulnerability scanning, no dot1x and no written cyber security requirements) and don't budget for redundancy (making it even harder to patch). It only takes one forgotten NAT and firewall rule or a misplaced/unapplied ACL to end up with something exposed to the internet that shouldn't be. With how sophisticated some attackers have become and the slow rollout of network patches, this will probably be actively exploited even if it hasn't been already.
While there are a lot of CVE's for pretty much all equipment like this from all vendors they require access to the mgmt interface to be exploited. These devices to the heavy lifting in ASIC/NPU's, so control plane and forwarding plane are separated (some things requiring cpu processing such as routing protocols needs to be forwarded from forwarding plane to control plane), but requires some configuration to be fully secure, easily done however.
The control plane is typically a linux distro these days (some run freebsd, QNX, or some in-house developed OS) with some open source applications on top (Apache or others as web servers are common for mgmt), some proprietary apps, ASIC drivers etc. A linux distro you seldom are allowed to makes changes to or update software fearing that it will cause problems for customers, same with the apps running on it. Even if you do upgrade it you have to get your customers to do it as well, most upgrades require scheduled downtime and typically comes with new fun bugs. Most of the CVE's come from the open source software running on these devices, some from them messing up configuration on them. Very few come from the proprietary apps as they mainly deal with network control protocols and not mgmt.