I thought that article said they used a zero day jvm bug, but your point stands: why would you execute something unknown, especially from a greeting card site? (Then again, it's a honey pot... I'm not sure I would be thinking straight in that situation either.)

They used zero-days perviously, but not this time, according to the article:

The agency's name was not revealed, but Lakhani said it was a very secure one that specializes in offensive cybersecurity and protecting secrets and for which they had to use zero-day attacks in previous tests in order to bypass its strong defenses.

It implies this time they didn't have to because christmas card from cure facebook profile was enough.

Thinking straight should not be required, that's why policies are around. If the policy is "no Java on work browsers, ever, for any reason" and "updates are installed same week they are released by vendor", the chance for somebody opening Christmas card from cute girl and getting national security compromised would be much lower.