I find it hard to believe they didn't do any testing. I wonder if they tested the virus signatures against the engine, but didn't check the final release artefact (the .sys file) and the bug was somehow introduced in the packaging step.

This would have been poor, but to have released it with no testing would have been the most staggering negligence.