It's a proof of concept showing a flaw in a core, non-sandboxed application. Someone with better social engineering and/or or someone interested in targeting specific people could turn this into something rather nasty
No, it's demonstrating (poorly) the ordinary functionality of application plugins.
The most iTunes could possibly do is display a warning dialog on unsigned plugins. Not a bad idea, perhaps, but its absence is hardly a flaw. You're already postulating sufficient social engineering that I can't believe the warning would stop anyone.
