The original article on the penetration tester's website
ends with a number of paragraphs about how it was hard to get a decent response from AGA to the issue.
I think the challenge of presenting to an organisation such security flaws is a story here. How do you get the right attention without resorting to public disclosure? This story also shows the lack of risk assessment and foreseeable misuse undertaken at design time by the rush to IoT everything in sight