Interesting article! However it lacks clarification…

The context of the article is Ethereum and EVM. Smart contracts do not run themselves but need a Dapp to run them.

So, there are 3 parts — upgrade-able smart contract sitting on the blockchain, the Dapp of the clueless investor, and the Dapp of the malicious contract creator.

I agree that the capability to upgrade the contract logic can be exploited. But creating a new smart contract will create a new address which requires update of all Dapps.