In principle I agree, but unfortunately running in a VM is the one otherwise reasonable precaution that I can't realistically take on the machines in question. I do a lot of web development, so if I'm running everything in a VM all the time then I'm not testing using the same browsers that my clients' customers will be. Maybe it would have given some reassurance in this specific case, but in general if those client sites incorporate any third party resources this sort of attack is still a concern.
It's not so much having trouble as just inconsistency of implementation across platforms. For example, I usually do this kind of work on Windows. I certainly could spin up a quick Ubuntu VM and run Firefox in that, but various aspects of the page rendering might change as a result. Given that far more Firefox-using visitors on most real sites will be running Windows than any other platform, testing with real Firefox on Windows is less error-prone. Ditto for Chrome, etc.
