Using what's already been done so you can concentrate on novel stuff is the mark of someone who's competent, not incompetent. Not that there are not incompetent crackers (and any other skill/profession) out there, there are. Your metric is oft repeated, but it smacks of bullshit if you spend any time thinking about it.
Not really, perhaps to those that don't have any knowledge relevant to the situation it might seem that way. But these tools are created and tested the way that conventional software is, which is to say that the tool kits never are completely up to date.
What's worse is that the actual crackers out there with any talent at all aren't going after servers with known vulnerabilities, they're going after ones which haven't yet been cracked, just about anybody can take down a server with a known vulnerability and you can frequently find out what the basic environment is with little effort.
The ones that are actually worth worrying about don't need to rely upon the server to be running unpatched software to get in.
Like I said, the guys using that sort of software are typically less talented than others are, and anybody who gives it some thought would see that.