I read the article - it's an interesting read.

The claim is that a YouTube ad was serving malware.

However, upon reading the article, it seems that:

1. Somebody purchased legitimate YouTube ad space. 2. They then redirected that traffic twice through two other legitimate ad networks. 3. They then broke into a Polish government website, and funnelled the traffic there, to serve up malware.

That certainly doesn't seem to be a case of Google/YouTube serving up malware - if anything, these attacks went to a lot of trouble to obscure from YouTube what they were doing, precisely so they wouldn't get shut-down (presumably by either YouTube, or the two other ad networks they were piggy-backing on).

You could argue, they should have caught them earlier - but isn't that a bit like blaming your email provider that you got a spam/malware email - when the actual party to blame is the person sending you aforesaid spam/malware?

I'm not sure what you expect "Google ads serving malware" to mean other than exactly this. Of course it's not as simple as going into Google ad manager and clicking "upload virus". The fact that it included partner networks and a compromised website is unsurprising. When malware makes it through ad networks, it is common for it to take that kind of approach. At the end of the day you're effectively exploiting networks of trust.

In other words: a YouTube ad was serving malware.

All that backend obscurantism is completely irrelevant to the hapless viewer.

So if somebody sends you spam to your GMail account - you'd say "Gmail is sending you spam?"

Or if somebody posts a bomb in your postbox - you'd say "US Postal Service is building and sending bombs"?

There's a fairly clear distinction there...