The truth the whole truth and...
Having been part of that pen test, I can say that this article not quite accurate.
The vulnerability exists when acting as a logged in user - so it's one of your mates thats the problem!
These and a number of other issues in WebAccess are addressed in a release that is scheduled for this PM.
And as for buggy! I think you need to review the uptime of a GW system and compare that to Exchange - boy is that a laugh.