"The mass attack... used to unleash a swarm of exploits that target unpatched vulnerabilities in the Internet Explorer and Firefox browsers and programs such as Apple's QuickTime. ... so far Websense researchers have been unable to identify a common component that is being targeted."
Who says there is a common component? If the malware uses a variety of methods to infect visitors, doesn't it stand to reason that the authors may use a variety of methods to infect the servers? With so many processes running on a single server (exim, courier, apache, php, perl, mysql, python, ruby, etc), not to mention sites' web apps such as forum software, there are many potential attack vectors. To assume that the malware will use only one attack vector to infect servers is absurd.
"'It's all that we can assume because there is no common injection amongst all these 40,000' sites, Chenette explained. 'The only other possible explanation is the website owners have basically had their FTP credentials or account credentials compromised.'"
A third possible explanation is that the hosting providers were compromised. I'm sure others can come up with other possible explanations. To say that there are only two possible explanations shows the intellect and the ignorance of the person making those statements.
"Mary Landesman, a researcher at ScanSafe, said less than 0.03 percent of its customer base tried to visit a site infected by Beladen in the entire month of May."
According to that statistic, ScanSafe has a list of all websites infected by Beladen. Perhaps she meant "tried to visit a site known to be infected by Beladen". It's omissions like that which make statistics useless.