Re: Well lets name them....
"just how wrong can one post be?"
I can't comment on super large ad agencies, but I can comment on smaller ad-fuelled businesses. Having actually worked for them in software development.
In a sufficiently large ad agency the person accepting flash files and media will simply use a back end CMS and may have the problem solving technical prowess to fix a paper jam in a printer.
The conversation between the developers and the business management when implementing that CMS would probably have gone along these lines:
Boss Guy: "We need to support flash advertising in the CMS"
*Developer shows uncomfortable face*
Boss Guy: "There a problem there?"
*Developer considers suggesting that flash might very, very, very occasionally carry malicious code, but doesn't want to present such an esoteric risk to the boss and come off sounding like someone who doesn't want to get the work done with a go get'em attitude when everyone else also uses flash.*
Developer: "Well, it wont play nice with apple iThings."
Boss Guy: "Well, I guess we'll just have to encourage people to move to HTML5 ads in the long term."
Ultimately, it's stories of people getting burnt by flash that will change conversations like the one above. Until then, it's very easy to be the person with 20:20 vision in hindsight and more importantly, you have to make a business case for spending time on things and it's very difficult to justify hundreds of man hours of reverse engineering code 'just in case'.
I have no doubt that this sort of malware will indeed change attitudes in time, but for now I think if you did a little work for ad agencies you'd understand why this sort of thing happens.
I would say that 'easily finding' malicious flash code when you don't know what you're looking for would be a bit like 'easily finding' OpenSSL and bash vulnerabilities in 2012. There's a reason why anti virus companies employ very skilled people who had to climb a steep learning curve.