They explained the trade-offs in the original blog post. They had considered this class of security holes and had a contingency plan in case one would be detected. They simply executed that plan. I'd say they handled it very well.
The Realms polyfill solution was inherently hacky: it tries to shim a sandbox into an environment that didn't have one, and it makes it too easy to accidentally leak capabilities into the sandbox.
WebAssembly was built from the start as completely sandboxed (if you want the sandbox to communicate with the world, you have to write each bridge yourself), and it's not as easy to directly share references to host objects into the sandbox, so it's unlikely to happen by accident.
It's a blacklist (Realms polyfill) vs whitelist (WebAssembly) kind of situation. Whitelist approaches are almost always easier to secure and verify.
