Please don't rely on the Referer being present (ever). It's an optional header to send in a request and you can configure your browser — at least Firefox — to not send it for privacy reasons.

Logout (or anything else that triggers changes of any kind) shouldn't be a GET request.

Not true. Using samesite cookie attribute prevents CSRF through IMG tags. (On browsers that support samesite, i.e. most browsers.)

It really shouldn't be GET anyways; that's asking for trouble.

Some of the pages that are exploited do use POST though. If it accepts authorization through a cookie and doesn't require an XSRF token or JSON content type, it is probably vulnerable.

But yes in general making actions happen in response to a GET request is generally a bad idea, since these are often cached and considered "safe" to retry.