I think you're confusing theoretical vulnerability to web-based scripting attacks with medical devices that use the Internet (or Internet2 in some cases) to send status updates.
Just because the OS is not patched for a specific vulnerability does not mean that vulnerability is active and actionable.
Now, look at all those pretty apps on your cell phone. How many of those have hackable code?
Just because the OS is not patched for a specific vulnerability does not mean that vulnerability is active and actionable.
Now, look at all those pretty apps on your cell phone. How many of those have hackable code?