They have been known to be weak literally since their inception. The entire reason for export cipher suites was to create encryption that could be broken by the US government.

No one should have permitted them since the export control was lifted in 2000.

That does not change the fact that some sites did in fact continue to permit them as 'last resort' ciphersuites, to ensure total browser coverage. This did not compromise site security for users who supported actually secure ciphersuites -- until now.

Responsible disclosure should mean that impacted sites (if they have been identified) should be informed before being publicly shamed. Doesn't matter if they were doing something dumb, it wasn't a known security vulnerability before now.