"ICC profiles contain no executable code"
So, they clearly have no clue how malware works. Although I assume they meant that the ICC specification doesn't allow for execution itself, but grossly ignores how trivial a buffer overflow is when handling variable-length data like images in a loose specification like JPEG. All it takes is a manipulated JMP to make that ICC data executable.