I don't know anything about their exploit - so why argue it?
Given the hit rates, I'd guess that the exploit may be as simple as seeding a hot_nekkid_pics.zip.exe file on the server - If a site has x amount of files and you infect 1, what is your hit rate as compared to just running a JS exploit on the main page and nabbing everyone who visits it?
they relied on the idiot's own actions to reveal themselves. - yes.
Plus, the original goal would have been to bring the server down (and, hopefully, go after those running it and producing any content). Nailing a few consumers is just gravy if it helps with deterrence. - Agreed, but from what I've heard the goal was always to take the clients, then the server.