I think you don't either.
My guess is a security hole, a bug.
Your guess is an inherent deficiency of architecture.
Neither of us is in a position to prove our guesses. You are in a somewhat better position to investigate - you actually have logs and what not from your co-worker's breakage. But, unless you understand _exactly_ how the malware gained access to the protected areas of the system, we still don't know for sure.