Cisco isn't exactly making things hard on attackers. Here's a couple of other vulnerabilities that could be used in conjunction with this one: Hardcoded credential vulnerability in IOS-XE (CVE-2018-0150). IOS-XE hasn't been without privledge escalation vulnerabilities either(eg CVE-2019-1754, among others)
Many orgs are unwilling to take a network outage for patching, especially in places like their DCs, internet or WAN edges where many of these devices would be deployed. I'm also aware of companies that are understaffed, where employees don't have the extra cycles to patch or apply workarounds. These are the same places that don't have active cyber security departments (no red-team, no vulnerability scanning, no dot1x and no written cyber security requirements) and don't budget for redundancy (making it even harder to patch). It only takes one forgotten NAT and firewall rule or a misplaced/unapplied ACL to end up with something exposed to the internet that shouldn't be. With how sophisticated some attackers have become and the slow rollout of network patches, this will probably be actively exploited even if it hasn't been already.