What is their real mistake? That they have a consistent pattern of small oversights, which make it easy for a determined exploiter to find their way forward. They have cross-site scripting holes. Congratulations, most people do. They have attempted to filter out known dangerous constructs rather than forcing known valid input. Congratulations, even though that is ass-backwards if you want security, that is the common immediate response. They have focussed on features over security. They and (much chest beating notwithstanding) everyone else.
As has come up in past discussions, this site does little better. (Visit tye's home page.) It would be a sucker bet to predict that many of the people here have worked with corporate code-bases that do substantially worse things. In fact many still do. And if you haven't had the displeasure, your turn will probably come.
So re-read it. Not with an eye towards, "Microsoft sucks!" but with an eye towards, "Would I know to do better?" Because as the oft-regurgitated but seldom understood mantra goes, security is a process. It is a process that we get wrong, over and over again. People have fundamental misunderstandings that are guaranteed to lead to problems. And that means that the process which is security needs some debugging.
And so I finish by reminding people of the fundamental point that you should avoid parsing (re-read again, seeing how that theme applies) and with an inspirational story from the Space Shuttle about what debugging a process can look like. (Before everyone jumps up and down and says that that cannot be done, stop. It can be done. It may not be worth going to that extreme all of the time, but IMNSHO people can and should habitually do more that way than they do now.)