[xdude]

Well there's all the lazy people who just take one look at terminal and hate it.  So they grab VestaCP since it's a one liner installation by copying and pasting the installation command onto terminal for it to start downloading everything onto the container.  Don't you find that convenient anyway?  But sticking with only terminal via ssh and uploading and downloading files via sftp would be the most secured way to manage a web server if you can protect your ssh server properly so bruteforce hackers won't get into your server.

It's not practical to stick with terminal in all situations. That's the problem. For example if you have dozen or several dozen sites then using Terminal is a simple nightmare. Same goes if you have clients whom you need to give access but they don't know how to use terminal. Same goes if you running web hosting business.

These exploits / bugs can happen in anything not just in control panels. Everyday developers and security experts find this kind of things in operating systems and other modules like Apache, Sql servers, ftp servers etc. That's why always get soo many patches and updates. It's an occupational hazard and never ending war. All we can do is make sure everything is upto date and have solid security measures implemented in your servers.