I think the point was that Flame was signed with a Microsoft key.
It's true that key shouldn't have been trusted for what it was used for, and that the MD5 attack basically elevated the rights of the key, but the parent's point isn't 100% wrong (nor is it 100% right..)
Flame used a prefix collision attack that had not been seen before. The concept was demonstrated a couple of years ago but the attack itself was novel.
While that's true, what enabled Flame to use that to sign code was a chain-of-trust mistake as nl pointed above -- and there's no guarantee that such chain-of-trust mistakes will not happen in the future.
It's true that key shouldn't have been trusted for what it was used for, and that the MD5 attack basically elevated the rights of the key, but the parent's point isn't 100% wrong (nor is it 100% right..)