If it was the case that the way all attackers worked was to have one ready exploit and only scan the port on which that exploit could work, then why are there good guys even seeing port scanning at all?