I noticed the same thing:

It looks like in the British Airways example you cited, they were serving some shared libraries off a CDN managed and operated by BA itself, so in effect, they were “serve[ing] the JS from [their] own site.”, be it a different system from their presumably server rendered portion of the site. Am I mistaken here?

Even if they bundled, they would have likely hosted it in that same (apparently) hackable/insecure CDN, and the hacker, who clearly went out of their way to target BA could have just as easily modified the bundle to include the malicious code.