A huge amount of legitimate sites are hacked by spammers ...

malware download, promotion of traffic to low quality sites, p o r n, and marketing of counterfeit goods or illegal pharmaceutical drugs, etc.

For such a big problem, why has it taken Google so long to finally take action? They should have done something about this years ago.

5% is pretty big considering that Panda 4.2 was supposed to be 2-3%.

In the areas I work in, the thing I see the most is people inserting either a few subtle and relevant links into a strong page on a strong site (try to fly under the radar long term) or to upload one or more files to use as a private FFA links page (churn & burn or just too greedy). So part of this change could be quite an impact on a lot of sites that are part of link farms and splog networks, or who rely too much on that ecosystem. Interesting!

My question here would be, will of the hacked websites used as backlink farms be penalized as well as the websites using those website backlinks? Is this another venture for negative SEO teams to explore? Let`s face it, these news are a two-sided coin and I'd hate it if I have to battle against second generation Negative SEO attacks, considering the first wave is not fully understood yet.

Big deal! This makes organics serps look even more less relevant to the search. While ads are now 10:1 ? What a user might think of it? But for me it would something like:
Hey 30 ads on this search but only 5 organic sites, there must be something worng with this sites.

And, I never ever was taken to a site with hacked spam on it!
I more was taken to sites with low content and irrrelevant content.

Again its a shame for google to push down organics in faviour to push their ads.

Im with @Martin Ice Web surely panda sorts out this kind of thing.. more censoring in the name of so called spam fighting.. 5% is a heck of a lot so 5% of the search results have been hacked? haha...

I don't think Panda does sort this out. I know a week or so ago I was looking through the SERPS and ran into a pdf that looked like it was from one of my competitors. It had a legitimate title etc. I clicked to see what it was and it immediately redirected to Russian #*$! sites. It was on like page 4 of the SERPS. I was kind of amazed that is was pure spam yet had gone totally unchecked. I think from what I have seen lately that the view that Google's bot actually goes through and looks at sites as we see them online may not actually be so. This is why there is such conflict - they aren't looking at things the same way.

... and marketing of counterfeit goods

There was a huge number of shared IIS servers that got hacked last year around June-August time. I got hit too :( .

7 domains on the account. Had to move to another host after a big fight with a hosting company who refused to clean up the server saying that there is nothing they could do. Accounts/Domains were just being "rehacked" within a day of each clean up.

Each of the domains(4 domains are 1 page sites, one had 6 pages, too were up to 10 pages no more) gained over a 100,000 back-links from other hacked sites. Each of the domains had up to 1000 pages of spam created in subfolders of the site, e.g, images/css/js folders got hit, but nothing in the root. Not a problem here, cause the site just contain some old information. Not until One looks at the IIS logs.

Between GoogleBot, Baidu, MJ12bot, DotBot(moz) and XoviBot there is up to 3MB worth of crawl logs for each domain, each day, still to this day, after a year of getting 410 for every hacked page request.

RewriteCond %{REQUEST_URI} (shoes|moncler|nike|lv|goose) [NC]
RewriteRule ^.* - [G,L]

RewriteCond %{REQUEST_URI} !googledb123456789.html
RewriteCond %{REQUEST_URI} (.*).asp|html$ [NC]
RewriteRule ^.* - [G,L]

There are currently hundreds of thousands domains that are still hacked/effected by that incident where actual webmasters don't know that their site is infested.

Excellent. I only hope it works as planned.

Oh boy, here come the false positives. For years Google has been "promoting" those site that steal images, then place them on a MFA blog, then that image links to either a clickbank link or some bad neighborhood. So, using guilt by association it's likely to be tied to that trash. Nice.
I wrote to Google recently complaining that they can ID millions of photos of people's faces and then tie that photo to an actual person with a great degree of accuracy, yet they can't ID a normal photo bitmap pattern and date it to determine the original owner. That's pretty sad. All those computers and nothing to do but sift buyers.

I'd be pleasantly surprised if they don't screw things up like the Panda and Penguin messes. However given the somewhat dire history of dealing with simple problems, I would not be optimistic.

The compromised sites problem is actually a fluid one and the iffy links on the cracked sites tend to regularly change. Sometimes one set of crackers fix the exploit that left them compromise the site. However there are bad neighbourhoods/hosters. If a domain name hosted on these iffy hosters/nameservers is present on a site, then it has probably been compromised. The links can also be transient in nature.

The solution to the problem is, like many of the ones that Google failed to solve, quite simple.

Regards...jmcc