> 0-day exploits aren't tossed around like candy corn
They are if the zero-day isn't what you're after.
Something like this is like candy corn to a site like HN. You need an exploit and a reason to get your targets to visit your hacked site. When something like this hits HN's front page, if your target is in the tech world, odds are very good that you'll catch someone in the company/companies you're after. This is not theoretical. See, for instance, the Java exploits employed in those hacked iOS dev forums that successfully compromised computers at Facebook, Twitter, Apple, and Microsoft.
While DNS-hijacking Google.ps as a watering hole for HN seems like a bit of a long shot of a vector to get access to HN users, it would be a pretty logical vector for Palestinian Authority systems. And is likely a lot of other users would get unintentionally caught in the net.
Flash/Java vulnerabilities are also quite a bit cheaper (100k range), and well within the price range of most criminal APTs, let alone nation-states. But I imagine most, if not all, HN users have those extensions disabled by default.
But overall the point is valid. The risk, even if not that large that anyone here would be targeted, makes it a good idea not to post directly to compromised websites. I'm not exactly wild about a random workstation at any US company being compromised, even though they weren't explicitly targeted, by random Israeli hackers or even Unit 8200.