So it wasn't the case that dynamically loading and executing a blob of unreviewed third-party code containing the offending section is what was responsible for those transactions being initiated. Oh wait, it was.
Exclusively focusing on the security failures arising from end-user UI/social engineering and ignoring the failures arising from poor engineering billed as modern software development best practices is another type of failure.