I can't comment on the "never been infected" claim, but the AS/400 does have an unusual architecture based on something called "capabilities" that provide support for objects and protection in the hardware (actually, the microcode). Then the OS is built on that. There is a detailed explanation of how this works in the AS/400 ancestor System/38 in chapter 8 in this book:

http://homes.cs.washington.edu/~levy/capabook/

PS - According to the Wikipedia article on System/38, IBM removed the capability-based addressing from the AS/400.

I'm not an OS guy either, but the article is setting off my baloney detector.

There's nothing inherent in OOP which is going to make it magically secure. It just seems like a spurious fact about OS/400 (and I say that as someone with very little knowledge of it, although I did use it as an 8 year old). Moreover, (maybe) there's no public record of infected instances, but that doesn't mean it didn't happen.