I think the point was that most of the visitors to mysql.com are developers and system administrators, and compromises to their machines can probably be leveraged into compromises of other sites. I doubt we've heard the last of this.
Doing this operation require quite an effort. And you do not really know how long it will take till this root access will be fixed (you can not really trust random vendor on hackers forum, this post could be searchable through google by mysql admins, some internal audit program could detect intrusion.)
So easiest to monetize - insert malware to put trojan on visitors machines. Next - hack in to their bank accounts, or use these as part of bot net or whatever. You basically got highly visited place to put classic malware.
The point is... To do such things as replacing mysql source flawlessly is hard, do not underestimate efforts needed to do that.
The attackers were focussing on client workstations to infect with malware, that's where the big money is. Potentially they could have owned some mysql installs by replacing installer binaries but it's less interesting for banking fraud etc.
I think that they just have access to 1 or more web servers. The hostname in the screenshot is http3.web.mysql.com. An organization like Oracle would presumably have multiple levels of security. It's likely the web servers would run in a DMZ, i.e. the lowest level of security.
Pretty sure he meant "rooted" in the sense of "inserted exploits into the codebase". In some sense that's much worse that mere root access to the host. Such a database could, for example, phone home with all updates to tables named "passwords", etc...
And even in the more banal sense you interpreted, sure: you might not run mysql.com-sourced daemons as root. But you almost certainly run the mysql command line utility as root from time to time.
