RE: Malicious site pointed A-Record to my IP, Google Indexed

That sounds like a bad web server config. Most servers run a virtual host, meaning the URL determines what website is served up. Either you have your own virtual dedicated server and only one site that isn't using vhost, or your host has set your website up as the default site.

If you have control over the web server config, I would add the malicious site to the config as a hosted site and then have it return a 404. That should de-index it.

If you don't have that level of control, try to get a 301 redirect for the bad domain. You really need  something like an htaccess that says if a site is accessing my website as anything but www.mydomain.com it needs to 301 to that URL. Otherwise anyone in the world can hijack your site the way it's set up now. Just point another A record and instant duplicate content headaches.

Those are some sloppy URLs. I especially advise people to avoid the problems of relative paths in ANY URL. And, yes, <base> probably isn't helping.

Links starting with / are fine. That's the root of your site. Anything using "../" should be nixed and use a fixed path. And never, ever use "./".

Wayfair is a similar comparison. Wayfair represents a single consolidated site compared to their 200+ domains previously (under the CSN brand). I'm familiar with them since we did similar things back in the day. I'm not sure how applicable it is because we used to do the same mega-spam footers they did. The bulk of their problem (long before Penguin) was that they were what is best termed as incestuous linking schemes. What crib bedding has to do with pool covers is anybody's guess. What likely tripped them up was, back in the day, we all linked keyword rich links to the sites without any regard to relevance. Once Google catches that you have to get rid of it. A single domain is far easier to SEO for, but they probably ultimately consolidated for the sake of advertising (their ads are everywhere). But (on point with the OP) Hayneedle did 301 their old domains to their new consolidated domain, and obviously for SEO benefit. Example

I don't think it's as big a deal now because link wheels like that are long gone. I have also seen other smaller networks arise (i.e. Soap) that link between properties (in the header no less) and do not nofollow anything. It's worth noting that these networks are poorly related (camping vs diapers vs clothing) so I don't think there's any real focus on SEO there (or they just don't care). At best these links carry some minor boost but at worst they carry no weight at all. Either way, if there was a penalty it doesn't show up.

There's nothing wrong with hidden elements as long as they serve some purpose other than to game Google. A hidden div with tons of content that will never be seen by a end user is spam. A hidden div that requires you to click on something to see it is not spam.

Matt Cutts talked about the issue a couple of years ago

I really like how Stack Exchange handles their URLs

http://stackoverflow.com/questions/30526714/seo-and-user-friendly-urls-for-multi-language-website

So to break down the URL, they have a directory questions, then the question ID and THEN the SEO friendly tag. Since the URL can be edited by anyone, it preserves the reference the system needs to access it regardless of what URL you're using. This might help your programmers if they know they can keep the ID in the URL. Otherwise you have the overhead of looking up the URL and then loading the correct page. Does that keep it typeable? No, but let's be honest... when was the last time you actually typed a URL (more than just the domain name) into your browser?