This is a case of legacy code left in an important attack surface. I doubt many people need a virtual floppy drive today.
0x0
Nonsense. I use the virtual floppy drive in VMs all the time, because I'm virtualizing legacy systems. But I do agree it could probably be disabled (and thus unexploitable) by default.