Second, if the HTML pages were served under the more secure application/xhtml+xml media type, the compromised page wouldn't have been usable, because the malformed syntax would have produced a fatal error, instead of silently corrected (this is specified in HTML5, which IE supports now, woo).
I think this speaks clearly of how bad was the decision of creating HTML 5, and not making future web documents an XML application only. With XML, the rules clearly state that a document has to be well formed in order to be interpreted by the XML parser (then it can be invalid according to the XML application, say XHTML). But no, they kept the incredibly stupid tradition of making browsers try to recover according to unspecified ways. I wonder how many workarounds are in the parsers of todays web browsers that swallow utterly broken contents that IE6 displayed properly at that time. Workarounds and complicated code paths that will probably stick for a really long time, since old content will not be fixed ever. And complex code paths that will continue to produce security holes from time to time.