Am I correct in thinking that this could be defeated by simply burning the songs to an audio CD and then re-ripping in ordinary mp3 format?
Yes, or you can just get a program that will remove the data. It's not a true watermark with identifying info intertwined with the audio, just some meta data the same as song, artist name, etc., are stored in an mp3. After stripping that, the same song bought by two different users may be still slightly different, but transcoding to any format results in two identical files.
I think it went simply like this: When iTunes Store crunches a DRM song for sale to a user it wraps it in DRM and includes the ID info. Apple just removes the DRM part of the processing for DRM-free songs. I think it's innocent, but then Apple isn't talking, which does tweak my conspiracy theory nerve.