That's pretty much it. A game card would not have access to system level functions or even direct hardware access, because it doesn't have those privileges, so an exploit in that game would run unsigned code with the same privileges. A permahack isn't usually possible without a kernel exploit, you've always got to run the game and the save exploit to get to homebrew. Sometimes a kernel mode exploit can be launched on top of a userland exploit, a good example of this is how twilight hack (userland exploit) was used to run the hackmii installer, which could install Bootmii/HBC via a bug in IOS (~kernel exploit).
In the case of the Wii (and Smash Stack), games could not receive software updates and that is why the exploits couldn't be patched. In the case of the 3DS, patches can be applied via manually downloaded updates and firmware updates, so you can bet that, if it's patchable, it will be patched.Also, since it's a save game exploit, it wouldn't be too difficult for a security expert to take a look at the modified saved game and figure out how it works. I imagine this particular exploit would be patched within a month after release.
It's unlikely we'll see this exploit released before a kernel mode exploit is found, unless a) Nintendo get lucky and find/patch it first; or b) Another, completely different userland exploit is found and there's no need to hold this one back.
Yellows8 apparently claimed it already included a kernel mode exploit.
The "WE HACKED IT" was apparently a modification of errdisp which is a system process.
IRC quotes aren't reliable though so I wouldn't hold my breath on this being true until it's announced in a more reliable way. (maybe neimod could post the picture on his flickr stream?)