Basically Wikileaks has nobody there who is competent enough to actually implement a security framework for the site.
So, as a result, it basically becomes a dumping ground for all this crap.
Thus, when examples are pointed out to them, all they can do is nix the examples.
Wikileaks has withstood countless efforts to get their site offline, sometime by dedicated groups and/or state sponsored actors. You may remember how all hell broke loose with cablegate, including DDOS and Senator Lieberman's call to Amazon. Calling Wikileaks incompetent at security is completely ridiculous.
I bet that the whole thing went down like this: author of this backchannel article wanted to rag on Wikileaks for their dissemination of personal details, and wanted to bring up email #117 as prime example (medical bill!!) and got infected herself for lack of security competence. Author then contacted some security outfit to perform a security evaluation, security outfit performed a simple virus scan. Author then cooked up a click bait article, how Wikileaks is out there to recklessly infect everyone with malware.
Let's face it: Wikileaks is plenty competent securitywise, as evidenced by their very presence for so many years. They expect their readers, especially professional journalists scouring their site to bring at least a moderate skill set to the table, and Mrs. Upson apparently failed miserably.