Scanning IPv6 isn't as hard as you make it out to be. I look at it more like using dictionary attacks rather that sequential scans. The 1st 64 bits are known if your after a specific target. It is also trivial to know if a given /64 is even used. A tree of all known used /64 shouldn't take long to create.
The 64 bits of the host is a bit different. They could be fully random (which is rare) or they are allocated based on mac address or statically assigned. The mac addresses means that 40 bits of the address are known if you know anything about the targets buying habits (i.e. they tend to buy Dell or Polycoms). That leaves 16 million guesses which can be reduced based on the vendor or the product version you which you intend to exploit once you find a target.
You may not be looking for one in 2^64, but a network of devices that all may have many addresses and you might only need one.
The static address assignment space isn't very large as well as netadmins like using :: when they type in addresses so they are unlikely to be random. That means their 1st network will be 0::something and their second is likely to be 0001::something. Oddly enough you might find they skip ::a and use ::8,::9,::10 as well or use something that match with their existing ip v4 address so things like ::192:168:1:1 is very likely.
All these things mean that Monte Carlo scans of a specific IPv6 allocation on a remote network is well within the ability of small time hackers.
Throw in a firewall that isn't filtering IPv6 properly and that will result in remote exploits of internal devices.