The article should have been done with the phrase "Unfortunately, nobody had spotted an insignificant-looking XML column in an innocent-looking table," and concluded by recommending the age old advice that's independent of technology, when it comes to permissions, make sure that the DEFAULT is to DENY access. This way if you overlooked an insignificant looking column OF ANY KIND, it would have remained secure because that would have been the default.