So it's pretty much graffiti?
Yup. Most like it was just because the server was vulnerable. If it was against you or the company personally, you'd see a message reflecting that.

Can nasties be recieved simply by opening a page (cookie)? I've read things that hint at it, but no real answers.
Yup. Browser hijacking is far more common than people realize. Simply going through some of the threads in the Adware/Spyware forum will show you that. In fact, one "phish" (a technique to get or "fish" out information from users) I saw today has a website that forcibly downloads a java app to the user's machine when they view java. The app, AFAIK, actually takes cookie information and sends it to a specific email address. Never assume anything is secure, even if "GRC" says it is. There is always a way in. The question is do you know it?

You might want to visit your local library or bookstore and check out their computer security section(s). Books like Hacking Exposed, HackerProof, etc. all give an idea of what the risks are.