Maybe? I didn't look at it, was it something like an iframe embedded in the page, that used some JS? If it really was a CSRF bug, I'm not too surprised they missed it, though I have the same level of dismay. I just had a discussion at work about how this is one of the hardest security issues to understand. To wit, a couple months back I had to convince Apple that no, there was not a CSRF vector in our application, despite what their security team was saying.
"Kitto daijoubu da yo." - Sakura Kinomoto