Re: Statistically weak?
And the premises were flawed from the get go.
Use of the Mechanical Turk and linking the study to CMU both biased the study, especially as it was an actual CMU study. While I am not specifically familiar with Mechanical Turk, since it is on Amazon the assumption is that somebody with a hell of a lot more resources than I have has already scanned the applet for malware and passed it as legitimate. Failure to mention the study on any CMU website is also pretty meaningless. It's not the sort of thing you'd expect to find on their websites, or if it is, it will be so buried it is difficult to find.
The bit about the UAC is a complete red herring. The UAC is only useful for drive-by malware. If you've downloaded it, you know it is going to pop up, and you know you're going to have to authorize it.
If the program was even minimally well behaved, there's no cause to look further for malicious activity. The reality of the security situation right now is that you pick your preferred suite, install it, and count on them to detect the malware. So unless they were providing their code to the AV vendors for inclusion in the malware signatures, there's no cause for a typical user to question the applet.
To get even a semblance of reality into this study they need to have a new name, release it through typical malware vectors (that is not Amazon, Chrome, or Apple app stores but possible dodgy sites or banner ads displayed on random web pages) including some drive-by installers. Collect the data from those instances and see what the results are.