This is a serious vulnerability
I'd question that. I'd call it "a bit of a vulnerability."
tl;dr: it's not a problem unless and until it's actually a problem.
On a community site, I think you have to assume almost all people aren't malicious. And I think that's been shown to be the case here - some cluelessness or insanity, but the only malice from spammers and the very occasional troll.
Spammers do not qualify for the label 'malicious'. They simply have other goals that happen to be served in a way that is detrimental to lesswrong. Malice means actually assigning utility to decreases in utility of the other not mere indifference.
I just noticed that calcsam, who just posted two top posts in the main section of the site, only has the 100 karma that he has, so far, gained from those posts.
I don't object to those posts being there, but how did he do that?
Edit: Question answered; Eliezer mucked around with the karma system to make this possible in this specific case.