True, but with these bugs it doesn't have to be the attacker that personally has physical access to the target machine. For secure sites the attacker may not be able to get past security, but if the device is innocent enough it might.
If you are a secure site you need to oversee the manufacture of all your USB cables, otherwise you don't know that someone hasn't put an attack into the cables you ordered.
This is making a ton of assumptions about your target. Is it a desktop user? Then possibly. Is it a server? What type? Does it have a keyboard/ monitor? Maybe a USB is how you access this device - so a USB that can get control over the kernel is suddenly your most viable attack method.
If you are a secure site you need to oversee the manufacture of all your USB cables, otherwise you don't know that someone hasn't put an attack into the cables you ordered.