I made it far enough into the PDF to find out nobody knows for sure
where the malware was. Odds are it was on the small business PC, but it sounds like the bank gave bad or unclear advice on handling the infected PCs (which they deny of course, but given their specificity of non-responsibility in the legal documents, the failure to produce written or email evidence of their exact advice is telling). Subsequently the systems were disinfected, but ruining the forensics in the process. Remnants of the Zeus bot were found on the SB systems, but they were unable to tell which specific variant. The one valid supporting claim for the bank is that the only location from which all the data could be compromised was the SB PC. Conversely, if the bad guys got their hands on the goods from the bank, more than just one SB would have been nailed.
I think this one gets appealed. The argle-bargle of the standard contract is onerous, and is subject to being summarily thrown out as binding for that reason. Moreover, the bank was aware of fraud against its accounts. I think the bank took insufficient action to prevent the fraud. The most glaring is not paying attention to serious spikes in the potential fraud scores on the fraudulent transactions. I was once called for transaction confirmation by a credit card company because I made the mistake of paying at the pump for my gas (petrol for you Brits) before going inside to pay my repair bill (2 cars, the working one needed fuel). Apparently making a small charge to confirm the card works is a common technique for that kind of fraud. Given that that was back in the early 90s, and the bank's failure is in the late 00s that failure is simply unacceptable.