Typically the infrastructure it is based on, like IBM WebSphere or other app server is extremely vulnerable and unpatched - e.g. configd by some clowns who have no clue how to setup a secure webapp -...