Yes. You can't use force or coercion to rob a server of data, all you can do is ask nicely (or repeatedly).
In a just world, we would let full responsibility lie with those who deployed the machines without understanding the consequences of, e.g., no login failure rate limiting.
an exploit is asking nicely, all I did was GET /????\n\n\n\nfjasdfuisdjflkwenuadfnwerAAJLKJFIEFSEIFJSDLFKJERIWERRISLDKJLDKJF and then I connected to a shell on port 8118? I mean, it just answered the request ...
In a just world, we would let full responsibility lie with those who deployed the machines without understanding the consequences of, e.g., no login failure rate limiting.