1) The file was uploaded manually by a security researcher.
2) They couldn't access a particular part of LM/NG protected by SecurID. They could've sent them an email also, they just wouldn't have gotten access to the information they needed. I'm sure RSA is using SecurID also, but someone somewhere fucked up and the attacker was able to find a security breach starting with the infected workstation. From there, it's easy to get personal info for social engineering, access network drives, etc.
Look, if you have a determined, well funded country state hell-bent on cracking into your system, all the security in the world won't protect you.
1) this is not just "an antivirus". VirusTotal is a website where you go and upload a suspicious file, and they scan it. Also, this says nothing about the file being "public searchable", it says it's made available for security industry professionals.
2) yes. typically you don't attack strong crypto, you find a weakness in its implementation. In this case, RSA Security's network was that weakness.
On the second point, a strong cryptosystem wouldn't have such a poor security design that RSA could break into any of its customer's networks. I'm sure a number of other RSA customers were surprised that RSA retained this power; I was.
1) by running an antivirus, your emails end up on some public searchable and discloseable database?
2) They couldn't hack RSA clients that were using rsid, but they could hack RSA itself? that's the worst case of not eating your dog food in history.