I'm not surprised. The more users that remain unprotected (and ignorant of how to stay protected), the more money their sponsors rake in.
It's very simple to understand. Users who care nothing at all as to whether they are exploited or not will continue to use fb. Users who do care will abandon the place in a whirlwind. The fb policy seems to be, fool the masses into thinking they're safe, and extract what use they can, from their ignorance. And all the while, they keep putting up the window dressing to lure more unsuspecting members.
I've said it before and I'll say it again...the members there should be offered as default settings, the best possible security scenario that protects them from being exploited.
Were this the case, those who want to change those settings to offer the best possibilities for infection and exploitation would then have to sharpen their idiot skills in order to learn how to do that.