Google's Webmaster tools dashboard is also supposed to offer an option for re-reviewing your site after it has detected nasty stuff on it. This option was invisible for us (and we are not the only ones). Fortunately I discovered a solution -- reloading the dashboard from scratch reloads the initial "Request review" button under the Diagnostics/Malware tab.
According to Google, it could take as long as 48 hours to get off the blacklist. That would have been a disaster for us. But we were lucky. Within 8 hours, the ban had been lifted.
Now all we had left to do was tell our users what happened, and hope that a) no one had gotten infected by visting our site, and b) people who'd encountered the Red Screen of Death would be willing to come back again. The jury's still out on both of those.
Lessons learned? Obviously keep all your site's plug ins and software up to date. (Though this would have been much easier if OpenX had plugged into the WordPress admin dashboard and not required its own, or if it had some mechanism for alerting users when security holes had been discovered besides its support forums.)
A more important lesson though, is that the price of Internet publishing is eternal vigilance. Being hacked can happen to anyone. Even you.