Right. Like I said, it doesn't do much for a malicious developer actively trying to subvert the process. That doesn't mean it's useless. I would guess most problematic apps are not malicious, but are an honest misunderstanding or disagreement about what level of quality is acceptable or what types of services are allowed.
A moderately clever developer could sneak something past the Apple app store review too. Wasn't there a flashlight app that included a secret wifi tethering tool?