Yes, the level of stupidity here makes it seem almost suspicious. But Sony has gone out of their way to prevent this in the past, so it probably is what it seems on the surface, a mistake.
And with time and consideration I wouldn't put it past Sony to devise a counter strategy. Its hard to anticipate how they might be able to plug this hole, but since they haven't responded yet I think its more than fair to consider calling this fight over to be premature..
I have no doubt it's were are talking "mistakes" here. But if they were really serious about security, it's something that wouldn't have occurred. Really. Regardless of whether Sony has the ability to rewrite a completely new and 100% secure firmware, the way they mucked up the crypto makes them deserve an "epic fail" stamped on their foreheads anyway.
And, even though fail0verflow were kind enough to classify it as "just a bug in a loader", I'd say blindly copying user supplied data with a user supplied size in a security-critical loader is pretty "epic fail" that too. It's not like buffer overflows are unknown, or have been for the last decades, geez!
It's kind of obvious that junior programmers are responsible for these things. If Sony really cared about security, they would hire better people to design and implement the security systems. And I don't mean they have to hire Geohot either.
What little I've seen of the 360, it's a LOT better designed (as well as implemented.)