That effectively makes it a local exploit rather than a remote exploit, but I do not think it makes it worthy of being completely ignored. Considering that Apple would very much like its machines to be used in public, lab-type environments, this does not speak well to their security in such situations.
You have brought up the only true concern in all of this. But as any computer security expert would say - If you can get physical access to a machine, you can compromise it. This example is almost that. Giving someone complete, unfettered access to a machine like this means that it is not in any kind of secured state.
The person who did it says "It wouldn't have mattered" if they did not issue accounts and opened up SSH. But has yet to display this ability.
Any IT manager who allowed any Tom, Dick, or Mary to create an Admin account is only asking for trouble... and this one got it.
Isn't it interesting that everytime Apple releases new OSX Macs the FUD spreaders create big stories out of things that are very little to worry about.