Package manager vulnerability study flawed ?

A study from the University of Arizona (recently posted on slashdot) looked at weaknesses in package managers (and mirror setup). By becoming an official mirror and delaying or stalling a mirror's updates they tried to lower the security of servers using that mirror and increasing the window of opportunity for a successful attack.

In itself it is very useful to make people aware of weaknesses in technology or abuse of trust, but in this case (and certainly for CentOS) I think they overstated the impact or at least ignored mechanisms used to prevent possible security risks.