Yup. Forkbombing is possible (and not that hard) on most modern Unices. But the idea of forkbombing isn't to cripple the machine by consuming its CPU/RAM; the idea is to stop it completely by filling up is process table (and keeping it full), so it can't run any new programs. (Also, you have to have shell access to the machine. You can't, for example, cause a web server to start forkbombing unless you can find, say, a buffer overflow somewhere you can use to execute arbitrary code.)
However, it's trivially easy to prevent users from fork bombing. All you have to do is set a limit on the number of processes a user can run (say, 100), and optionally, the amount of RAM they can consume. Sure, you can slow the box down (sometimes quite significantly so) by forking as many processes as possible. However, you can no longer bring it to a grinding halt; the system administrator can still get in and fix things by killing off all your processes.
Of course, you have to set the limit in the first place. If you don't (and it probably should be set by default; I believe it isn't in most linux distributions), then well, you're screwed. ;)
As for the vulnerabilities ... ::shrug:: I don't recall seeing 21 of them, and of those that I have seen, I don't remember any of them as being particularly serious.
content