You would have a point if the exploit were more serious, and looked harder to fix than it does.
As is, this is a phishing type variant that it’s not at all clear gatekeeper was even designed to stop. However, the default behavior described (especially making symlinks to NFS shares without any sort of warning or special graphic when following them in Finder) seems sufficient for forceful language when complaining about it to Apple / giving a disclosure deadline then publishing.
What does that mean? Is there proof? How long do you wait before you call not getting a response 'dropping'?
The potential consequences require more than this.