Move along... nothin’ to see here....
MS said the bug was exploitable, said it was difficult to exploit and updated IIS two months prior to the conference where this mitigation research was discussed.
Mitigations are used to slow down attackers in their development of exploits, to try and make those exploits unreliable, and to raise the bar of the skill required to create such exploits (e.g. Chris Valasek is a Senior Research Scientist). The mitigations in this case served that purpose. Mitigations don’t take away the need to update the binaries and IIS was still fixed. Mitigations for all platforms are constantly updated to reflect research from White/Grey/Black Hats. Mitigation bypasses generally do not work broadly.
Server DoS's are typically patched by MS anyway, so whether or not it was exploitable is irrelevant, detailing whether it is exploitable or not is to allow the system admin to make a decision in how to prioritise the downloading/testing and rolling out the patch.
The revised blog post, that wasn't referenced by Dan for some reason, said it was exploitable:
"Since then additional research has shown that it may be possible for this vulnerability to be exploited if DEP and ASLR protections are bypassed."
The bulletin notes from Feb 2011 said it was exploitable:
“Maximum Security Impact - Remote Code Execution”
MS said they were aware of the research in the mitigation bypass.
“Vulnerability details for CVE-2010-3972 are public. However, it will be difficult to build a reliable exploit for code execution. We have heard rumors [sic] of an exploit technique that will be discussed publicly in April by Chris Valasek and Ryan Smith.”