Indeed, but would you believe Wired.com and WashingtonPost.com are vulnerable? That's insane. And I just checked a handful of sites off the top of my head. Again, Wired.com is load balanced, so only a percentage of its servers are affected (and it could even be fixed now).
Like I mention, Apache.org sets a terrible example, with their sites wide open. PHP.net, which I checked on today's 5.4.0 release of PHP, is also wide open and reveals they ironically are still running extremely old versions of Apache and PHP, lol.
What needs to happen is either an increase in user awareness, OR a change in defaults. One or the other, in my opinion.