Not such a big deal
It's really not such a big deal.
- It's really easy to fix. They could MD5 any other value from the iPhone instead of the MAC. Or even a random value. Expect it in the next app update.
- Commercial applications (hospitals, offices) will not use the consumer Hue bridge, but a commercial grade gateway, which will have a different API/access control. The only critical part is the ZigBee over-the-air security.
- The attacker must first have access to the LAN which requires to exploit a vulnerability in the host PC. Makes the whole thing much less probable.