Yeah, the real problem isn't 'run(ning) as root all the time', I'm not sure what that even means. But whatever someone can do because of a vulnerability isn't the problem, just the potential effect of not fixing the problem.
The problem is with the protocol which allows actions to be performed without the user's knowledge. But OpenACS can be fixed to make the vulnerability mostly go away. OpenACS cannot be 'fixed' to prevent an admin from installing a package which does whatever they want it to do. This is a feature, and it can't be prevented.
