Bluetooth is relatively complex and has to be implemented by many different manufacturers on many different devices. Errors happen. Old devices are particularly susceptible.
It should be noted that not only the smartphone but also the target device can have security vulnerabilities. Bluetooth, for example, is susceptible to bluesnarfing (opening ports that are actually closed by commands from outside), bluejacking (sending unwanted messages), bluebugging (exploiting a backdoor), bluesmacking (denial of service) or car whispering (eavesdropping on the hands-free system).
Bluetooth is also used to track your movements in stores. The companies Telefonica and 24reports offer technical solutions for this. However, tracking via Bluetooth in stationary stores only works if you have also installed an app such as the store's discount app.