Later, at that same URL, is a crap article on SBOMs. The author either ignores, or is oblivious to, the fact that attackers have been checking for vulnerable dependencies for decades.
If he has been pen testing for 20 years, he should certainly know this. He should also know that defenders are less likely to put in this same level of effort on tracking down libraries. I don't mean that in a disparaging way to the defenders out there. They're relying on the developers to do this work because the developers are the ones who can actually fix the issue. All the blue team (operations) can do is report it to the devs and try to mitigate it in the meantime. So it makes sense defenders wouldn't be spending their time this way. Devs should be, and if SBOMs become a requirement (de facto or otherwise), they will be.
Making it easier to make this determination with #SBOMs will benefit #attackers, but it will benefit #defenders more.