"This steaming pile is apparently being sold and used."
Myriad experiences dealing with Japanese companies in the 1990s tells me that IOActive's report was buried by the people responsible for reporting upstream to management about such things (to save face) and steps may have been taken to obfuscate the vulnerabilities (changing the IP, or port, or attempting ti firewall out IOActive),
The same thing will happen for this report.
No actual securing would take place until there is a report on a few japanese news networks about the vulnerabilities, which will be the first inkling that Softbank's board of directors will have at _all_ of any problems with their fantastically wonderful Pepper bot, which their underlings have been reporting nothing but good things about.
At that point a large amount of fecal matter will fall upon the heads of the juniors who've been covering things up and what doesn't land on them will instead hit a few air movement devices spinning at 15,000rpm
Why does this keep happening? It's all part of The Plan: https://funnyshit.com.au/the_plan.html