For example, there could be a web-based attack that would target unpatched webviews. This could be a maliciously prepared webpage or image on the web, favicon etc, and this piece of data could be distributed by an ad network, for example. So, browsing the internet with an out of date browser or webview could pose this risk.

Another issue is escalation. Again, we are in a speculative realm, but if a device is affected like how I described it above, it could then be the foot in the door for other attacks, like scanning the local network, and finding other devices to target, some of which might be also out of date, or be more trusting to a local device, than to an internet device. Like a router, for example, or a NAS with a passwordless LAN file share activated.

Another usage of an exploited device is it joining into a botnet, that then is rented out for any purpose the buyer would want, distribution of files, acting as a proxy for others, participating in a DDOS attack.

Thing is, most of this is automated actually. The devices on the internet are constantly scanned by automated means for vulnerabilities.

Basically the same as a computer. If you avoid installing random untrusted apps, you are generally safe (i.e. don't install random no-name Candy Crush clones from the Play Store every week like some people in my family like to do).

Every once in a while there's a more serious vulnerability that can be exploited remotely like Stagefright, but those are fairly rare and if you're here, you will probably hear about them.

anything internet facing has a ton. you're using it to browse a site that gets ad and you've got a vector -- wouldn't be the first time legitimate sites like NBC (nbc.com) served 3rd party adds with malicious iframes embedded in 'em.

mom takes her out of date tablet to check the news and bam she's rooted.