Let me help a bit by trying to explain the situation. If you produce something that is a million lines of code you will most likely have at least a few hundred to a few thousand bugs in there. Some of those cause crashes, some of them cause hangs, and a small percentage will cause you to increase your privileges. Combine enough of those and sooner or later you end up with RCE. The problem is that you as a defender don't necessarily have the same budget to audit the code and to close it all down to the degree that an attacker has.

You need to do an absolutely perfect job in always spotting those RCE capable issues before an attacker does. And given the numbers involved this becomes a game of statistics: if there are 200 ways to get RCE on OS 'X' then you need to find and fix all of them before attackers do. Meanwhile, your system isn't a million lines but a multitude of that, there are your applications to consider (usually of a lesser quality than the OS), the risk of a purposeful insertion of a backdoor and so on.

So I don't think it is unreasonable to presume that any OS that is out there most likely has at least a couple of these that are kept 'on ice'.