The article points out that the police claim to have "real-time AV protection." And it would probably have passed through a police computer at least once, I doubt they'd be booting into a seized hard-drive.
Those of use in the AV industry know that in practice AV software misses a lot of stuff, and updates need to be deployed properly as well. It's quite possible that AV software was installed but failed to catch this infection.
What you say is generally true. But we know that the lawyer's AV caught it. I have trouble believing that a law firm has better IT than a police digital forensic group. I guess one way of determining if it would have been caught by outdated or marginal AV software would be to figure out when the variants mentioned in the article were identified and added to most AV DBs. A project for another day perhaps.
