In software development it's impossibly optimistic to think a complex piece of software will be bug-free. Developers of course try to think of all of the ways something might be exploited but all the bases are rarely covered. There are numerous checks and transaction rejections in Steem, for some things less obvious than others. Often it's the exploitation of a bug that identifies it and drives it to be fixed.
Of course ideally the blockchain wouldn't stop and the transaction would have been rejected. But much like @timcliff said, considering the circumstances, the outcome wasn't too bad.
I have worked for a company where there was a formal requirements process with full traceability in place, we had solid DTAP environments, programming was done in Ada, code and module reviewing and testing was done in an almost religious way, and we had a very competent and creative dedicated FMECA team, and also aggressive alpha and beta testing, and guess what ...
Shit happens. Having shit happen less often is very expensive, and even then there are no guarantees. Still, my trust in the quality of the blockchain codebase did take a small hit, can't help it. Well caught and solved, though.