The real story here, is that 4 days after the vulnerability was made known to the devs, a patch was released.
Why? If no bad guys have found it the difference between four days or and three months is of little difference. If the bad guys have found it (or worse yet, planted it) the difference between five years and four days and five years and three months is also of little difference. Not the kind of casual bad guys that deal with cryptolockers and botnets and identity theft, if they found it you'd probably see it in the wild and exposed. But targeted attacks for industrial espionage and such could probably use it in narrow attacks for a long time before being spotted.