Actually this is kind of a sad situation; I have seen some SNMP publicly exposed, and a lot internally even when its' not actually being used and with default community.
It's one of those issues where a CISSP will evaluate the Impact x Likeliness metric and schedule a fix for 'next quarter'.
Similar to when the various big padding oracle web attacks came out; you'd have been in a much better position had you fixed the default error pages, but that's not enough a high-risk issue to prioritize a fix.
I'm not sure what I think about the first two parts of your comment, but I'm a nerd so I can't let the last sentence go: what do padding oracle vulnerabilities have to do with error pages?
my understanding was that at least one of the attacks from a while back only gave the oracle due to different actual error descriptions in the response, whereas had there been custom error pages defined for all errors, there was no oracle to use.
Nope. It's any behavior change in response to bad ciphertexts, which changes are easily inferred. For instance: Lucky 13 is a padding oracle that uses only very fine-grained timing information to discern errors.
It's one of those issues where a CISSP will evaluate the Impact x Likeliness metric and schedule a fix for 'next quarter'.
Similar to when the various big padding oracle web attacks came out; you'd have been in a much better position had you fixed the default error pages, but that's not enough a high-risk issue to prioritize a fix.