Access to network
This seems to be a lot more serious than they are letting on. If they had access to a code-signing certificate that must have had access to some pretty secure places on the network, and then being able to upload binaries back up to distribute to end users is very worrying (I'm presuming the updates were actually sent from the Opera network, or how else would they know how many users might be infected?)
For a company who makes a few products that proxy for all you web communications, that could be a significant problem. If they had access to those servers they would've inserted themselves directly in the path of that user's browsing.