Re: What operating system ?
"Unless, as a user, you have made some dangerous changes to the default behaviour of your OS, just downloading an executable file does make it executable on your filesystem. You need to manually set the execution bit first"
I already addressed this. In this case, the file has been written to a USB device by a program running on an infected host. If that program were designed to write Linux-compatible malware, it is perfectly capable of setting the execute bit after the file is written. What you say is true of downloading an executable file from a malicious server, which is not what happens in this case, but even then it's a relatively weak protection. Windows, for example, will detect that you've just downloaded a new executable file and will give you a security warning before it is executed, and if the file is unsigned that security warning hides the run button so it's confusing to many users how to run it anyway, but we don't view that as a cast iron security mechanism, do we?
"Windows, on the other hand, will detect an inserted USB device, assume the device is honest when it declares what it is, and then go look for a driver for it, in some cases accepting a driver from the USB devices inbuilt firmware"
I may be wrong, but I see no evidence of this workflow. See the device, yes. Assume it's telling the truth, yes (although I'm not sure what other option you think it has, because that's nearly required for an open interface like USB). Retrieve drivers from the device, no. It can retrieve drivers from Windows Update, but that's checking Microsoft's servers for drivers it already knows about. I have seen drivers carried on a device before, but in every case, that's managed by having the device present a storage mode with the files stored on it and instructing the user to install them manually, something that will require administrative credentials and multiple security warning screens.