The point that interested me was the fact that the WMF interpreter was starting as separate thread to execute the embedded code.
To me, this shows intent to execute something, and is not the way a buffer overrun would work.
I will admit that Steve is a bit of a self promoter, but we have a few of those here, as well. And it doesn't make them necessarily wrong.
If this "Feature" predates widespread Internet usage, I would consider it to be as likely a bone-headed design decision as a malicious one.
The original Macintosh OS was highly-succeptible to viruses because the designers didn't think anyone would abuse the system. Before it became necessary to run virus scanners, some of the security weaknesses could actually be used to do interesting things. For example, if you put a custom WDEF resource ID #0 in a disk's "Desktop" file, any folder windows on that disk would be drawn with the window-drawing routines in your WDEF instead of the normal system WDEF ID #0. Obviously something very easy for virus authors to exploit (until anti-virus tools started automatically nuking any *DEF resources in Desktop files) but in 1984 nobody had any clue that such a thing as computer viruses would even be created.
My guess with the WMF vulnerability is that someone wanted the Windows OS to record in a metafile everything the code did in the generation of a picture. SetAbortProc was a GDI call, so it got recorded with everything else. The fact that recording such events was useless and pointless was beside the point.
BTW, what I'd like to see someone implement in an OS would be a CODEC interface for pictures, sound, etc. that would instantiate a VM with a fixed defined address space and NO privileges whatsoever. There would be an area of memory in which source data would be placed before calling the code in the VM, and an area of memory where it would put the results. The CODEC could run as machine code, but would be stuck in its sandbox as with interpreted-code VMs. If the data to be decoded was malformed and the CODEC hit a buffer-overflow or other error, the invalid data could take over the CODECs VM, but it wouldn't be able to do anything with it.