By design, Adobe Flash was insecure and allowed code to either pretend to be something on your system or actually hook operating functions that should be reserved for local administrators.

The problem however was not with Flash itself, but with the browser plugin that co-opted your web browser to run Flash programs. It combined the insecurities of Flash with the insecurities of the browser plugin architecture making it almost impossible to properly secure the browser when the plugin was enabled.

As a response, HTML5 was created that allowed the same functionality as Flash Plugin, but built on top of an architecture that built security into the basic design. Apple famously adopted this for Mobile Safari and refused to support browser plugins at all.

Years later in 2017, after Adobe had already switched all its products to producing HTML5 instead of Flash, they decided it was time to stop pouring money into monthly security patches for Flash Plugin, and announced an end of life date (last December). When December rolled around, they published one final update: an update that disabled Flash permanently and informed the user they should switch to HTML5.

To more directly answer your question: malware authors were constantly finding and abusing exploits within Flash they used to install malware on victims’ computers — bitcoin miners, ransomware, botnets, credit card and account scrapers, etc. Every time Adobe fixed something, two more vulnerabilities would be abused to attack real people.