You can't really exploit something when its attack surface is nearly nonexistent, which is the case for most people who use an outdated OS on their personal device, for example.
Even if there's an exploitable vulnerability, the exploit has to be delivered to the target system somehow. You don't have much of an opportunity to do that with a device that doesn't have a public IP address. Most likely the user themselves will have to do something that would compromise their system, like visiting a website that would serve them an exploit for their particular combination of browser and OS.
