He's probably referring to injecting/deploying the keylogger in the first place. Either it came with a malicious software, via a system exploit, or someone installed it having physical access.
Or, like in the case of Judy, people installed it willingly, because it was hidden inside a game. If a game or some sort of application people install on their machine had a key logger component, we'd consider that malware, and still no vulnerabilities needed, just basic social engineering.