I'm taking this at face value admittedly, since I don't know the provenance behind this github account or even whether it is related to production code.
I wonder to what extent not fixing it in the production version was a "conscious" business decision, and to what extent it was just overlooked.
And my extremely cynical side would like to point out that that by many measures this incident benefits twitter as a company; they get free headlines, they are seen publicly fixing a problem in a timely manner, and they get more loyal followers. Not that there is some machiavellian plan at work, but there may be reasons beyond time poverty and careless software engineering that explain why something like this might not have been fixed even though some people may have been aware it was broken.
I'd bet against this being a strategic decision to allow this exploit to remain in the wild. They've already managed to build a popular business around convincing people to trust clicking obfuscated URLs from people they don't necessarily know. I highly doubt they'd trade free press in exchange for unleashing a self-propagating JavaScript exploit on their own network.
I don't think it's that conscious, it's just that the cost of preventing such incidents is perceived to be greater than the cost of responding to them after the fact. It's worked quite well for Microsoft, Oracle and others to be reactive rather than preventive. And as I pointed out above, there are incentives for that sort of behavior that do exist.
http://news.ycombinator.com/item?id=1713391