It was most definitely a security flaw. There's a reason many services that offer similar things, use the 'fragment' in the URL (the part after the # in the URL) to authenticate users. The end result is that you can't use the actual URL itself to gain access to the wallet, and need the 'fragment' as well. The fragment is entirely clientside.
To put it simply, using a url as your sole authentication is a really fucking stupid idea.
Even worse is that they knew this flaw was being discussed publicly, as was the StrongCoin flaw. You can't assume that every user will read thread about security flaws but services themselves should make it their business to know when such discussions are taking place.