Ah, (for anyone caring enough to read this discussion) apparently the actual code in the patch (which was more complex than listed here [1]) doesn't just ban processes (as with control of the parent we really do have the ability to bypass the process check, as again: we can just keep making replacement exploit containers), but also bans entire user accounts that are causing suspicious memory accesses.
[1] http://xorl.wordpress.com/2010/11/09/grkernsec_brute-exploit...