The exploit is in file uploads. Nothing to do with comments. The first published exploit pointed at user registration which had a profile picture upload field.
The last time switching off comments helped (as far as I can remember but note I only remember the more serious secholes) was 13 years ago and the only reason that wasn't called Drupalgeddon because barely anyone used it back then and naming them wasn't in fashion (and we had two more RCE bugs the first half of 2005 anyways before we kicked out the old XML-RPC library and replaced it with a better one) ... but DRUPAL-SA-2005-002 was very, very long ago. And while Adrian wrote form API around the same time for theming purposes, we ran with it to avoid that kind of bug happening again. We? Or... just me? should I take the blame? It was an ... emerging decision but a lot of it were on me. As they years has passed, form API became frighteningly complex and a lot of that is certainly on me, someone misused it and bam! Drupalgeddon2 . It makes me sad but I do not feel guilty. I felt guilty for Drupalgeddon because that was a silly one, more of a process fail than a technical one, this was not silly, this was just too complex. Frankly, catching the bug in D7 was very near impossible, whoever ported this code to D8 should've seen it because it clearly violated the most fundamental form API principles but when you are busy porting so much code, it slipped through the cracks. Just as Rachel said for Drupalgeddon: I shouldn't feel guilty, others could've caught it too. And, after all, I am out now so it has nothing to do with me any more. Or that's what I am telling myself these empty, sad days and nights.
