Barry, you are right: we can't fix the way the internet works. I'm not sure why an attacker would go to the trouble of using an image tag to break into OpenACS, given the ease it can be accomplished by tricking someone into visiting an offsite page. The offsite page could use every possible device to break in, not just a src attribute.
One way to fix it, mentioned by me before in this thread and others, is to tie the form to the form processing page. Forms should be tied to a session. Variables used in the form should be tied to the form. In the cases where ad_form is used, this might be possible without visible code changes to each page (where the default formtemplate tag is used), but I'm not a expert on ad_form.
Fixing the exploit code (developer support) isn't a long term solution. Someone could upload their own exploit code once they have admin access.