In that case, your security was seriously lacking :-p
I don't think so - SPybot *found* some extraordinary things. That's security in
action :-)

Not quite - ideally they shouldn't have been able to get onto his
system in the first place.

This example is not security in action, it's security after the fact.

Simple steps might have reduced the potential damage that may have
been caused, such as:

1) SpywareBlaster - blocks known activex exploits
2) Firefox - far less prone to being hacked than IE in real life
3) Spybot S&D (properly configured) - hosts file & immunize

(immunize on Spybot S&D is similar to the protection offered by
SpywareBlaster, but it does no harm having both on the system in case
one catches something the other doesn't)