Some vulnerable components (e.g., framework libraries) can be identified and exploited with automated tools, expanding the threat agent pool beyond targeted attackers to include chaotic actors.
Virtually every application has these issues because most development teams don't focus on ensuring their components/libraries are up to date. In many cases, developers don't even know all the components they are using, never mind their versions. Component dependencies make things even worse..
How to solve it
One option is not to use components that you didn't write. But that's not very realistic.
Most component projects do not create vulnerability patches for old versions. Instead, most simply fix the problem in the next version. So upgrading to these new versions is critical.