The problem was the phishing, not the subdomain. If your app allows users to run phishing operations, moving the content from user.foo.com to www.foo.com/user probably won't help much in parent's scenario.
I have to disagree. A phishing scam from "billing.foo.com" would be much harder to spot than one from "user-content.foo.com/billing". Especially if the user has free reign over the style + content.
If the user is going to be able to design + style the pages any way they want, having something in the URL to indicate it's still user content is important.
No. The problem is the subdomain. Allowing people to phish on a subdomain is lending the phisher the credibility of legitimate websites hosted on the domain. It’s like lending a thief your uniform so that he can disguise himself as an employee. You’re an accomplice when he uses it to steal.