I'd say it's even likely. I have worked on software for electric pumps, not this kind, but in general everything has software running on it now.
The more hard to believe part is that a lot of electric equipment like water pumps have very simple software running on them, which might only be controlled by some messages on a serial bus that sends certain commands. To use that as a vector you would need the software to have very specific vulnerabilities.
You're thinking of one specific kind of "water pump", a small device with a simple microcontroller. But a "water pump" could mean many things, and it could be a larger system that is run by a computer running windows, with functionality that is essentially "a water pump" but it may be doing far more than only pumping water. Often the details are lost when journalists try to dumb down a subject so an average luddite can read it. The actual equipment may be a large box that has a water input and water output, but contain many other functions within - and the article does not describe any of this, it simply says "water pump", so of course some people are going to construe that as simply a motor, an H-bridge, and a microcontroller. But the reality is that it could be a far more complex device than that. The "water pump" designation could come from nothing more than the "telephone game" where information gets diluted as it gets told to successive people in the chain until it gets written in an article simply as "water pump" when it could be a far more sophisticated piece of equipment than that.
True, I wouldn't call it a water pump if it was some separate, sophisticated control system that controls more than a water pump. But it's a realistic scenario.
