The point is that Google should not be allowed to let those malicious ads through and be held accountable for the damages, both to the GIMP project in this case as well as to whoever may have clicked on the malicious link and installed the malware.

They turn a blind eye when it suits them such as the "misleading thumbnail" policy on YouTube that's never enforced.

It empirically is allowed, though. Google is welcome to claim that it's against their rules, but they still let it through.

Ban? They shouldn't need to look for bad actors or ban anyone†, they just shouldn't let people spoof the domain on an advert. At all.

What's happening is Google would rather accept the cash up front and keep it if and when someone reports an ad. No forethought is given to people tricked by this.

† Obvious exception for unicode squatters but even they should be filtered out entirely automatically. Invisible or misleading characters in your domain should be automatically blocked.

I don't care how many they rejected, I care that they published more than zero.

I feel that what they meant was, why is this even possible to do