Is it possible that at least one of them had an exploit in them?
It's possible, but IMO it won't be easy to find. It's more likely we find exploit within CSPRNG/PRNG or someone put backdoor for
k values of ECDSA.
Reference link
https://eprint.iacr.org/2014/848.pdfMaking all of the transactions/addresses sent during that period vulnerable to attack?
You meant all transaction/address which contain address generated with exploited library? If so, the answer is yes if the exploit allow attacker to get private key with far less computational power.