In its forum post this morning, OpenX describes itself as a long-term supporter of open source and stops well short of accepting culpability. "We are deeply saddened that our OnRamp contribution to the movement must end due to this criminal activity," it says.
But it also acknowledges implicitly that correcting the vulnerability would be possible, given adequate resources. The fact that OpenX has deemed it lacks those resources begs the question of whether open source technology can be stewarded by for-profit businesses -- or if there's a place for open source in advertising at all.
In the case of OpenX, the company's own actions may have created preventable security holes. A recent ITWorld article describes a method by which malware has been easily spread through an “append” attack. Hackers are able to use the plugin for the OpenXMarket exchange product to inject malicious code into ads on websites that use the OnRamp ad server. This plugin is installed by default. Without this monetization lever implemented by OpenX, which ITWorld calls "poorly thought out," it seems clear the risk to OnRamp users and their website visitors would have been considerably less.
On the other hand, OpenX deserves credit for acting on what had clearly become a significant Internet security issue. Publishers still haven't been given details on the specifics of this particular attack. Was it one malvertiser or many? Was the onslaught very much larger than other recent incidents reported over the last several months? These details would be nice to have. But, regardless of the answers, OpenX probably did the right thing.