For example, there could be a web-based attack that would target unpatched webviews. This could be a maliciously prepared webpage or image on the web, favicon etc, and this piece of data could be distributed by an ad network, for example. So, browsing the internet with an out of date browser or webview could pose this risk.

Another issue is escalation. Again, we are in a speculative realm, but if a device is affected like how I described it above, it could then be the foot in the door for other attacks, like scanning the local network, and finding other devices to target, some of which might be also out of date, or be more trusting to a local device, than to an internet device. Like a router, for example, or a NAS with a passwordless LAN file share activated.

Another usage of an exploited device is it joining into a botnet, that then is rented out for any purpose the buyer would want, distribution of files, acting as a proxy for others, participating in a DDOS attack.

Thing is, most of this is automated actually. The devices on the internet are constantly scanned by automated means for vulnerabilities.