So, it requires people to download it. Run an installer.
What I'd like to know is what other user interaction is required for infection on recent macOS versions. Typically you need to enter administrative credentials even when logged in as an administrator to install any software. If the software vendor isn't an approved third party. You also have to go into System Preferences and manually allow it.
I know they had managed a false certificate. But I don't think Apple uses the same lists as anti-virus providers. As many programs downloaded online that aren't from a major company will not run without all this user interaction.
Even once it is installed. When you run the program for the first time. You'll get another warning.
If some user goes past all these barriers to allow the malware to run. What else can Apple do? I wouldn't consider this a flaw in the OS. Now if it is able to install and skip all those checks that is another matter.
I just hope Apple doesn't decide to lock Macs down to the app store completely as they do with iOS. It seems like they are headed that way. With there ever increasing crack down on downloaded apps.