If this "Feature" predates widespread Internet usage, I would consider it to be as likely a bone-headed design decision as a malicious one.
The original Macintosh OS was highly-succeptible to viruses because the designers didn't think anyone would abuse the system. Before it became necessary to run virus scanners, some of the security weaknesses could actually be used to do interesting things. For example, if you put a custom WDEF resource ID #0 in a disk's "Desktop" file, any folder windows on that disk would be drawn with the window-drawing routines in your WDEF instead of the normal system WDEF ID #0. Obviously something very easy for virus authors to exploit (until anti-virus tools started automatically nuking any *DEF resources in Desktop files) but in 1984 nobody had any clue that such a thing as computer viruses would even be created.
My guess with the WMF vulnerability is that someone wanted the Windows OS to record in a metafile everything the code did in the generation of a picture. SetAbortProc was a GDI call, so it got recorded with everything else. The fact that recording such events was useless and pointless was beside the point.
BTW, what I'd like to see someone implement in an OS would be a CODEC interface for pictures, sound, etc. that would instantiate a VM with a fixed defined address space and NO privileges whatsoever. There would be an area of memory in which source data would be placed before calling the code in the VM, and an area of memory where it would put the results. The CODEC could run as machine code, but would be stuck in its sandbox as with interpreted-code VMs. If the data to be decoded was malformed and the CODEC hit a buffer-overflow or other error, the invalid data could take over the CODECs VM, but it wouldn't be able to do anything with it.
I've made a few of those.
In fact, I've been known to put real backdoors into some of my products. The network admins wouldn't give us privileges, so I said, "That's ok, I don't need them". This was done just to support the product, and my project managers knew what I was doing, but the network admin would have had kittens, if he had found out.