A “vulnerability” in code is generally not the whole picture, it’s just the crack that gives them access.

Imagine the code as your car. For a bad guy to steal your car first he has to get in, that vulnerability could be a coat hanger and the knowledge on how to use it to open the door. Now getting the door open does not allow him to drive off and steal your car, but it does give him access to other vulnerabilities, like hot wiring.

So a single vulnerability generally does not give a hacker access to that much, but all they need access to is the next vulnerability and so on.

For example black Mamba (a major crypto ransom hack) gets access via a printer driver installed via a fishing email, or pays a user for thier credentials. The print driver vulnerability gives them access to install another vulnerability then another then another it’s a very complex hack