Note that said poison filename worked because there is (was?) indeed a shiny system() call at some point of the various checks done by the support library used by the OTA updater.
That was 'fixed' by renaming all incoming .bin file w/ a random uuid in the 'update_<uuid>.bin' form, and that before said step.
----
We've (mostly) always used some kind of logic flaw in the OTA updater, because it started as (again, mostly) a simple shell script, and with most of the rest of the system being obfuscated java, that made it an obvious attack vector.
The fact that more recently, parts of its job have been off-loaded to C libraries put a serious dent in those kind of shenanigans, since none of us have any real skill in ARM assembly, which becomes kind of a basic requirement to look into things further.
Same with the other slightly less obvious attack vectors, they kind of require more specialized skills than simply poking at things with a stick for fun

(which is basically where I sit, personally ^^).