It is indeed a security issue to have those left as the defaults, but it is not an extremely serious issue.
To mitigate the problem of known default salts, WordPress intentionally recognizes when those values are left as “put your unique phrase here” and will not use that phrase as a key/salt. Instead, it generates random 64 character salts internally and stores them in the database for usage as salting values. WordPress also ignores any duplicated values across those salts, and generates randoms in those cases too, so any default value used that is identical across them will be rejected as it may potentially known to an attacker.
Now, this is still not ideal, because the salts are then stored in the database. If an attacker happens to get read access to your database, or gets a dump of the database, then they could brute force the hashes and gain further access. But the default values are not used for actual salting.
Ideally, the salts should be defined in the config file, because an attacker would then need to obtain the contents of that file, so reading the database wouldn’t get them anything useful.
Note that you can change these values at any time with no serious consequences other than having to log in again, as all the cookies and such will change.