The sheer breadth of the WordPress install base paints an enormous target on the back of not only the core product, but also every popular plugin. And frankly, it seems too many plugin developers don't take that reality seriously. In this case, ~200,000 websites are now vulnerable until patched (assuming they ever will be, I mean c'mon..).
I guess it could be worse. Given the WordPress market share, anyone who finds a serious security hole in the base WordPress package could potentially root a third of the Web.