The stock images should be more comprehensive?
I can't imagine any malware could detect a stock image taken from a year of use.
Yep. Even if it was taken from a few weeks of use in a student lab the amount of effort needed for a virus to determine the false positives from the false negatives would become astronomical. It would either still infect some honeypots or greatly reduce the number of systems it could infect.
Basically the honeypots made it too easy as a real computer in use shows many signs of use like facebook access, random google searches, random cruft on the hard drives, etc.. This is a simplistic version. I could see a more advanced one making sure there was at least one facebook post in the last 24 hours before releasing it's payload.