Is there any organization (law enforcement, security researchers, etc.) that would be interested to know about the attack, the code used, or any follow-up requests?
The code you posted in the other thread gives the impression of being unique because malware creators use an algorithm to generate a slightly different obfuscation function every time. This prevents it from showing up in Google or from AV software recognising it using a simple string match.
However, the core functionality (which is to take external input and run it through exec()) is incredibly common. I've personally come across of at least a dozen identical cases (and I don't work in security or anything like that) and I imagine there's hundreds of thousands of sites running this code out there at any given time. Your host is probably apathetic because they've already dealt with 10 different instances that day if they're a large host. Law enforcement is probably equally unlikely to be interested.
possibility that other servers under their control may have been effected
Shared hosting users are usually pretty well isolated from one another. As I mentioned, shared hosting accounts get hacked all the time. Most hosting companies also run off the shelf shared hosting management software – so if the isolation was really broken in their system it would also be broken for other hosts and discovered pretty quickly (although who knows, some hosts might be too lazy to update their software).
It would be easy to set up a replacement script for "images.php" that would log any requests without executing them. So my question is, is there any reason to do that?
It could be mildly interesting, but it's a pretty safe bet the only thing you'll get are scripts to send viagra spam.
The hosting company adamantly insists that if it happened at all, the only possible explanation is that my friend's password was compromised (somehow).
It's possible (and perhaps likely). What FTP client does he use? Many FTP clients (cough FileZilla cough) store their passwords in plain text and in a very predictable location. In other words, it's a perfect target for malware on his PC.
It's also possible they sent him a phishing page which looks like his hosting login, it wouldn't be hard to determine his hosting company or email.
There's some chance it was compromised via a vulnerability in the site but this is unlikely if it's just a simple business card site which accepts little or no external input.
The bottom line is, there's a pretty big incentive for malware creators to compromise hosting accounts. Usually they're a pretty easy target and all the spam in the world has to get sent from somewhere!
In terms of cleaning it up, if you've only got a few files then just manually check all of them. Otherwise go by file date-stamp, but it is sometimes possible to alter this.