Curl is such a small utility, and the effect of any single problem is limited.

Mythos's great strength was finding multiple vulnerabilities and chaining them together to break a whole system.

Look at it like this: It found one confirmed, minor vulnerability in Curl (but I don't think they have said what it was?). In another system that used Curl it's possible it could have exploited that vulnerability to chain to another, bigger vulnerability that was normally inaccessible.

That's how systems get broken.