Each VPS is isolated from this threat, so if Bob's Drupal site is infected, only his site and others on his account run the risk of infecting each other.
Also we DID block the SQL injection attacks if you kept Extra Web Security on for your site. See? It's a good thing
So when Drupal says "or otherwise remove all the website’s files and database from the server" they literally mean if you delete ALL the files from your server, take the DB down, and then upload it all from clean and fresh downloads from Drupal.com, you should be okay.
Of course that won't clean your uploads, which have to be checked manually, nor your database (ditto). I'm not a Drupal expert, but I know the theory is the same as with a hacked WP site. Clear out the files, only upload ones you KNOW are good, and if possible check the database. I read through https://www.drupal.org/node/2365547 and with the exception of that DB, I think it's pretty much the same as WP.