A lot of this code isn't updated though. Think of how many abandoned wordpress plugins there are (for example). So the defenders could, but how do they get that code to fix it?

I agree after time you end up with a steady state but in the short medium term the attackers have a huge advantage.