Yes, the risk is much higher than the cost. From the article:
> The company's internal review of the incident continued. Upon discovering a vulnerability in the Apache Struts web application framework as the initial attack vector, Equifax patched the affected web application before bringing it back online.
That bullet point lies between the "July 30th" and "August 2nd" bullet points. Based on that timeline, the vulnerability took days to patch.
I agree, there are many competitors to React for targeting the DOM, but there is much less competition for targeting Native. I hope to see more JSX-to-Native engines pop up soon to solve that problem.
> The company's internal review of the incident continued. Upon discovering a vulnerability in the Apache Struts web application framework as the initial attack vector, Equifax patched the affected web application before bringing it back online.
That bullet point lies between the "July 30th" and "August 2nd" bullet points. Based on that timeline, the vulnerability took days to patch.