For the kind of attack, like we have presented with Guillaume at CARDIS, I consider you can see it under several angles. Let me just depict several of these angles:
1- the attack consists mainly in another type confusion. Nothing really new on that point of view, you’re right
1 bis – to perform the attack, a single fault injection was necessary, aiming at skipping some instructions in the normal execution flow. Once again, it’s not new, as it is common in the smartcard industry.
2- it is an illustration how a previous legal application becomes illegal, ill formed, by using a physical perturbation. From this angle, this attack’s principle is very close to your concept of mutant application. It reveals that the security should not be based only on a single protection, but rather on regular, and preferably dynamic, controls.
3- the must interesting angle, from my opinion, is how new features, or new services, not necessarily directly linked with the security, can be tampered with to defeat the security of a product. Our article outlined how the new class object exploitation led to a potential weakness, if no security consideration have been taken into account in its implementation.

Regarding the last angle, such papers are very important. They reveal that new feature or functionality should not be added without a strong understanding of their impact in the product security. This should be done in accordance with the environment specificities the product is supposed to embrace, taking into account the specific threats and vulnerabilities.

Hope this post will be worth of interest.
Hugues