First, Firefox addons are not actually executable files; they're scripts constrained within the browser's ecosystem, and thus can only access certain features and functions. I'm certain that accessing the blacklist controls would be one of those functions that Mozilla have ensured that addons cannot affect for obvious reasons.
Bear in mind that addons are intended, and permitted, to ultimately do only one thing: to modify the user experience of websites displayed in the browser. SQL injection falls within this purview, since in practice SQL injection is merely the submission of search terms to a web form. In this, its behaviour is similar to an addon (I forget its name, probably TrackMeNot or something like it) that salts search engines with random queries to throw off search profiling. The addon itself isn't actually a real trojan in the same sense as, say, Zeus or or Conficker, because it doesn't run independently of the browser and doesn't replicate a trojan's behaviour. All it does is send SQL injection queries to any web forms it finds, just as anti-profiling addons send rubbish search queries.
What this amounts to is that because of the way addons are constrained within the environment imposed by the browser, it's simply not possible for an addon to be as invasive or potent as a free-running executable installed on your system. It could not, for example, modify the registry, alter firewall settings, or affect operating system files outside of the browser environment.
Theoretically, an addon could be created that, for example, captures anything you type into a webform and echoes it to a scammer's server, potentially allowing the keylogging of your banking details; but such addons are very quickly spotted and eliminated, because this behaviour follows a known malware heuristic. That's why you don't see such addons in the official repository; it's probably got to the point where even the most hardcore crooks don't even bother trying.
This addon escaped immediate detection precisely because it doesn't follow common malware heuristics such as keylogging or DDoSing; all it does is send search queries to the same website the browser is on, which isn't malware-like behaviour. It's actually a testament to the ingenuity of the crooks behind it to think of designing one that worked this way - which indicates that they're already aware that trying to secrete more obvious trojans in the addons repository, like the aforementioned keylogger, is futile.
Also, that only 12,500 users out of the hundreds of millions of Firefox users were affected, shows how quickly Mozilla and its developer community get on top of these things. This is an addon that, despite not exhibiting any malware-like behaviour, still didn't get very far before being spotted and eliminated. This is a testament to the vigilance of Mozilla and its developers, which I find rather reassuring.