If a company uses, and distributes, a GPL tool, then they do indeed have to provide only the source code of that tool, and only for the version they distribute. That’s all good.
Libraries are a very different matter. A library is not a stand-alone thing; it’s used as an integral part of a larger program (the technical term here is linking). Tools are like the separate items in your kitchen drawer: big knives, ladles, whisks, forks. They’re all related and they all work on the same thing (food, or data) but they are independent items. Libraries are like ingredients in the meal you’re cooking – eggs, flour, water, yeast. The final article – the pie you’ve made – combines them all together into a whole thing which is different from and more than its ingredients.
Here’s the point about the GPL: if you use a GPLed library in your program, then you must release the source code of the whole program, not just the GPLed library. That’s exactly what the GPL is designed to make you do, even if you don’t want to.
So, any commercial, closed-source product which uses a GPL library in that product and doesn’t release all the source of that product is breaking the GPL and is therefore liable.
However, they may be doing any of the following, all of which are OK: releasing source for a GPLed tool they’re using while carefully not linking any GPLed libraries into their main program; using libraries which are free software but under a non-copyleft licence (BSD, MIT, Apache, etc) and not releasing their source; using libraries under the LGPL and releasing their changes to that library but not to the program it’s linked to.