Having just discovered that this non-security-hole has been exploited on my site, I believe the original poster was right in his concerns.
When I started getting hits on my WP-managed site for viagra, program cracks, hacks and keycodes for html files in the wp-uploads folder, I started checking around then internet to figure out what was wrong.
I would like to remind the poster above me that WP is supposed to be a blogging program that the non-computer saavy can use. It's not a matter of learning how to drive. I know how to drive. I just don't know how to fix a car. I'm a mom with 2 kids experiencing car trouble.. I don't have time or energy to learn auto mechanics.
Click here for a portion of the screenshot of a google search of my page. The html pages listed were most definitely not put there by me. I do know how to change permissions, and THINK I understand what the various settings mean.
Because I don't really understand how this happened, even after reading all of the above, nor do I understand the "fixes" presented, I have completely wiped my site and started over. I use WP on another site, though, which was not affected. I will make sure my folders are all 755. When I have a permissions problem, I'll change the permissions for my specific folder to something more lenient, then right back when I'm done.
If anyone needs to take a look at those pages from the image referenced above, google still has them cached. I imagine a google search of "wp-upload" and one of the unsavory products will get you a live verion of that kind of thing.
Hopefully, one of you more knowledgeable folk will be able to figure out what's going on and help folks like me.