We once (~2 years ago) had an Asus server with their BMC, which is much easier to expose: while it has a dedicated physical interface by default it is also exposed on the first LAN port and configured to use DHCP. I can easily see how those boards leave you accidentally exposed in a colocation setup. But I'm still struggling to come up with a way to accidentally expose that on the internet. Public IPv4 isn't usually handed out via DHCP.

My best guess is that the vast majority of these 20k servers have their management interface deliberately exposed. Only takes 2000 people with 10 servers each to think this is a good idea.