While there have been remote exploits against exposed management ports, the vast majority of compromised Mikrotik devices are caused by insecure configurations by users. Mikrotik is huge in the smaller ISP world and especially in developing countries due to the low cost, but those users are not always the most security conscious.
The linked article from Microsoft goes into some detail about the vulnerability in Mikrotik that was being used, and there are many other examples of this happening. Weak creds are also an issue, but their software is pretty buggy from a security standpoint. If you run Mikrotik gear exposed to the public internet, I hope you have good logging and are keeping a sharp eye on it.
Now hang on, the linked article mentions how a Mikrotik with compromised creds can be used as a C2 (as can most routers), and goes on to list the primary methods of compromise:
Default creds (configuration issue)
Common creds via bruteforce (configuration issue)
Exploit of CVE-2018-14847 (4 year old patched vulnerability).
All of the methods mentioned require local network access in a default configuration. None of these are issues from the public internet.
If you have lateral movement within most networks, you're already likely to have the ability to route and disguise traffic and use the network as a relay point.
I am interested to read of your "many other examples". I'm yet to see a serious network gear vendor without big vulnerabilities to their name. From memory, Cisco had about 4 backdoor root accounts found and CVE'd in 2018 alone.
