I wonder how times the software world wide that was using log4j has used was audited by security teams.
Once you know it, it's such a trivial exploit.
It shows that just because a software has been audited it's not necessarily secure. You have to look at the right spots to find the problems.