I call shenanigans.
"Beer said it was unlikely because the hacked Treasury sites contained static HTML pages that aren't susceptible to such exploits."
And has he gone through the code for every single page, on every Treasury site?
If not, then how can he say this, as it is entirely possible to run PHP inside .html pages, and some coders will do this in a stupid attempt to "hide" that they are using php.
Perhaps Joe Blow, who originally designed the sites, put in a few php entries to make things easier. Then, when he was fired, the outsourced coder didn't bother to check the code completely before making his changes.
Flaws upon flaws, as design moved from person to person, could lead to a compromisable .html page.