Captain Bodge-tastic speaking
I wouldn't overestimate the abilities of your average raspberry pi user - it's become very easy to follow a simple set of instructions in an online forum and without understanding a lot about what you're doing, and in doing so open the thing wide open to abuse. An awful lot of them are connected to the net.
I had to double check that my one of mine, which is online and will accept SSH connections, is not visible from the public IP it's on. I've changed the default password as I do for all devices, but aside from a weekly cron job to perform an automatic update, it is sat there, as a VPN server. I think that I've firewalled everything off with iptables (apart from the VPN port used), but I set this up 3 years ago and I really cannot remember. I'm currently 7000km away from it without a computer so it's difficult to check right now... (posting from a mobile)
I imagine there are a lot of such devices out there connected to the net, as some ameteur project set up by an enthusiastic hobbyist. In my experience it was hard enough getting it working as intended, let alone hardening it against attackers beyond the basics of changing a password (which I think is enough to defeat this malware if I RTFA properly)...