Well I am sorry to break it to you but… that sounds like your problem.
The changelog DID mention a VULNERABILITY. So it WAS broken. So it was YOUR responsibility to update YOUR router. You had twelve (12) months up until Kaspesky made a fuss about a year old fixed vulnerability with only about a hundred (apparently targeted) infections. To me that’s just silly. It’s nowhere near anything serious. Plus, Kaspersky’s own paper shows infections on routers running v5.20 (most likely the chinese cracked/backdoored release). Which means that whoever got infected was running cracked software that’s almost a decade old. In other words they were asking for it.
The ‘if it ain’t broke, don’t fix it’ mentality is no longer applicable to today’s society where from your laptop to your vacuum cleaner everything is connected to the internet. If you can’t/don’t keep up then leave it to some professional and do something else.
By the way, sorry, but If you don’t use HTTP then why are you complaining about it? The vulnerability did not affect you. What’s the problem then?
If you don’t trust proprietary software or if you don’t like the way Mikrotik handles stuff, you can always switch to another vendor or to an opensource solution. Nobody forces us to give our money to Mikrotik. Mikrotik has many issues and we complain all the time, but again - security is not one of them. They always address security issues on time (I mean real security issues, not “tech” journalists FUDs that the closest they’ve ever been to a router is the D-Link that their ISP gave to them 
).
Also, nothing was quiet about it. Just because you don’t (seem to) follow the forum, it doesn’t mean that there wasn’t an extended discussion back then about this vulnerability.
Here’s the official announcement that Mikrotik has as a sticky thread for MONTHS. If you had bothered to read any forum category it would have been on the top.
http://forum.mikrotik.com/t/statement-on-vault-7-document-release/106907/1
This was posted on March 8th. The very next day there was a patch fixing the vulnerability.
http://forum.mikrotik.com/t/v6-38-5-current/106902/1
If you don’t like the one-line changelog descriptions you can watch the forum. They ALWAYS create a new thread for each new release. And almost always on vague messages like that there’s a swarm of people asking for clarifications. At the end of the day, if you are too classy to post to a community forum and you want “proper” support, you could have always sent a ticket to support@mikrotik.com to ask for clarifications. Which obviously you did neither.
Again. All the things you mention are your problem. Mikrotik patched the vulnerability a year ago. You have NO excuse. Period.
Oh, one last thing, why on earth would Mikrotik release a scanner for windows? Since when did they get into the antivirus business? 
RouterOS and Winbox were just the delivery method for the payload. It could easily have been a wordpress site with a zeroday JS exploit delivering the same payload. Would you expect wordpress.org to release a ‘windows scanner’?
Especially a whole year AFTER the patch was released with 14 releases since then?!