Sure they do - all the major web servers and hosting platforms can use and define vhosts (it's just that the mechanism for creating them differs on each platform). IIS for example, if you create a new site, using "All IP Addresses" port 80, will require that you designate a host header so that the HTTP engine can route the request to the right Web Site (and corresponding content). All IP Addresses port 80 with an empty Host Header acts as a "catch-all" and is assigned to the Default Web Site. Which you generally disable, and create your own config for, if you know what you're doing. Apache, on the other hand, configures those vhosts in text files (nowadays under sites-enabled, as I recall). But the functionality is all there on pretty much all major platforms.
Now if you're arguing that the administrators of IIS servers are exponentially less likely to have a clue about host headers, when compared to their Apache/nginx counterparts - well then from my experience you're absolutely right (my history is MS consulting, and the number of IIS admins who want 20 IP addresses for 20 sites because they don't get how to do host headers, DNS resolution etc, cannot be counted - the reverse can be counted on both hands over 20 years of doing this stuff).
No, it means anecdotal evidence is to be taken as better than no evidence whatsoever. Not everything is black and white, one side of the fence or t'other.
Consider this as a scale - Peer reviewed, multiple-source reproducible trumps anecdotal evidence, but anecdotal evidence is still better than the absence of any evidence on either side.
Cop 1: "He looked like he was hiding something, yer onner". When we stopped him he kept looking around and acting strangely."
Cop 2: "Yeah, yeah, wot he said."
You: "I did no such thing, your honour."
Judge: Both cops say you did, 2 trusted public officials with no reason to lie against 1 obvious reprobate, probable cause, case dismissed with prejudice.
Except the fuckers crashed my machine when they pushed out the update.
Citation needed, since I recall no such major outcry. Your machine is probably one of the ones with 25 browser toolbars, or ten download accelerators, or fifty outdated browser plugins, or a couple of undetected rookits etc., which is usually the reason behind a security patch "crashing your machine".
And if Windows closed the app with unsaved work, you'd be here whinging that Microsoft destroyed your work. And if you really gave a crap, you'd go in and change the Windows Update setting from "Automatically install" to "Ask me first".
Microsoft has done some seriously stupid stuff. And some bad stuff. But if you want to abuse them, at least abuse them for the stupid stuff not the sane stuff.
Actually - that their software is open is irrelevant to the problem. Are they running their own servers with openssl/openvpn/??? or using third party appliances? Did THEY create and build the hardware from the ground up or purchase it from a third party? The balance of probabilities may say their inter-DC encryption is done on a secure, up-to-date and built-and-operated-to-best-practices RH server, but it's not a guarantee.
And just like this scenario with Microsoft, how is anyone going to audit the deployment? RH will most certainly not allow twenty million users to tour their datacentres and audit each and every device. So just like Microsoft's environment, and despite RH's code potentially being open, there is absolutely no way to vet the environment. You have to trust the organisation (and each and every person involved in the decision tree). I really don't see a significant and meaningful difference - the open code has no bearing whatsoever on what's actually running (both code-wise and configuration-wise).
I'd guess the potential killers have higher moral standards than the execs, and don't want to inflict the mental pain / sorrow on the not-guilty family members. Sadly this means the morally bankrupt studio execs can't be expunged from the gene pool.
That and there's a huge line of contenders to replace the execs anyway, all with moral compasses permanently set to "screw everyone except me".
Think of it more like a reminder and a chance to begin the education of those who were suckered in by their friends/colleagues (and who aren't/weren't privacy-conscious to start with).
I don't have a Facebook account now because of privacy concerns. But I didn't get one originally (04-05 I guess?) because frankly I'm a bit of a loner and I couldn't think of a group of people I'd rather avoid than those with whom I went to school. Yes, I've missed out on staying connected to people with whom I'd want to continue to associate (Uni friends), but I'm not sacrificing my privacy for it now. I'd rather be detached and a little boring. It's a choice - but I hope an informed one.