There were previous stances were besides these so called race time condition,java web token were used to exploit these casinos,from what it seems ,its always the new ones,since the big ones already had their fair shares of people trying to break in their system and probably already fixed many of these issues.
If the new casinos need to have more funds so they can secure the site, then I think this is possible as long as you offer a legit site, hackers and scammers can easily go on any site and collect the details, the gambling site should do everything to avoid any incidents like this, we are on a great time already where there’s a more strict way to protect the site.
Its not that much easy as you're saying, the scammer have to get access to the control panel of the site to make any changes but the data can be breached due to the server issues which may not steal the funds but the user data which can be a lethal if the site's KYC information database got breached because the scammer now know the real identity of the people who bet huge amount so it can be a very dangerous thing to happen in their personal life.