Like graphing calculators and math you don’t actually have to know how things work to get the answer.

Once a math equation is solved (vulnerability is discovered) that equation is added to a calculator (automation tools).

Bad actors (script kiddies) can use calculators (automation tools), to find math answers (vulnerable software).

EIL15:
Once an exploit has been identified it’s added to a public list of common vulnerabilities and exposures (CVE). That cve list is maintained and used to identify other instances of that vulnerability in different programs.

As a known cve ages that additional time allows bad actors to creat more automation tools that can exploit the vulnerable. Those automation tools are then distributed. That’s how you get script kiddies. Bad actors without the actual knowledge of the exploit but using automation tools that allows them to exploit without knowing how it works.

This is why older systems missing older patches are more susceptible to hacking. Now a days any program that can be reached by the internet can be crawled by automation tools (bots) and tested for the presence of known CVEs.

We use Enterprise tools to discover them, determine the risk score (chance of being exploited x damage if exploited), and patch/remediate before the bad actors do.