Stories have been going around that a botnet was being spread by the HTC Magic on Vodafone. Specifically, it was Panda Security that sounded the alarm after they plugged in said Android phone and had all kinds of alarms go off. However, it turns out it was an infected memory card that was the culprit, and not a bad batch of phones, as original post author Pedro Bustamante later points out in the comments.
It’s the memory card for sure, not the actual Android filesystem. It could be a malicious employee, a bad batch, provided by the manufacturer, lack of QA or a returned and refurbished unit. But as you said, either way Vodafone needs to better QA these before shipping out to customers.
Pedro's right, there should be better Q&A to keep this from happening. But there also should be a little more discretion used before we see headlines such as "Vodafone distributes Mariposa botnet." (And the post itself hasn't been updated?) An infected memory card is bad, but one bad apple does not an outbreak make. The sky's not falling, folks.