It is ultimately a human system, but human systems can include an element of rule based order. Humans can decide to have one process for making the rules and different one for enforcing/honoring the rules.
So the best way to proceed, in my view, is to honor the current version of the contract (which equals the current version of the code including the "exploit") and then change the rules/code so that the same thing cannot happen again in the future.
