Both! vulnerabilities in the SNMP implementation do happen sometimes, and misconfigurations aren't unheard of. I once found an SNMP listener on a router that allowed _writing_ values, and it made it trivial to add a port forwarding rule that allowed me to skip right over the ingress firewall and some IDS system. I was also able to add a route table entry that joined separate VLANs so machines in those could talk to each other directly (which greatly aided my task).
Even if it's read-only, SNMP can contain all the info you need to build a network map: IPs, hostnames, and even a description (like "accounting-printer" :-D). In one I looked at, it even had information on when the configuration was last updated, so I was able to see which devices were recently given attention by the sys admin, and which devices weren't. I found a few hosts that had slipped through the cracks and were running really old kernels that were exploitable.
If you're defending a network, I definitely recommend scanning for any SNMP listeners, especially on anything that routes packets. If you're trying to compromise a network, I give the same advice.
On Wellfleet/Bay Networks/Nortel routers, all configuration is exposed as SNMP variables. Very common to find weak/trivial authentication on them, exposing complete configs as well as all tables (arp, irp/igp, etc) needed to construct a detailed picture of a network, as well as being able to change things to suit the attacker.
Many Cisco routers allow downloading and uploading(!) of configuration files using special SNMP fields in conjunction with FTP/SCP. There are many of these misconfigured routers exposed to the internet and I'd be surprised if they all haven't been backdoored.
An absolute gold mine, and (for some reason) it's one of the last things people think about when securing their networks.
If you use SNMP, consider it a sensitive system and protect it accordingly.