Well, they've certainly cleaned up their act, but I definitely wouldn't say that they're known to be among the best in the industry.. I remember just a few year ago, you could get to ring0 in Windows and install a rootkit just via the registry.. Let's not forget all the hotmail vulnerabilities similar to this that have been active for an indeterminate amount of time..
No they don't. They have a reputation for taking months to respond to security issues, responding with "yeah whatever, we'll look into it" and then doing nothing for months, leaving software vulnerable to known exploits because "its not patch day yet", and similar bullshit.
It's not a client-side fix. Just stop the server from sending the token/link to the clients. Sure, that might degrade the client experience a bit(assuming that the client isn't just displaying a webview in which case no degradation would occur) but it would fix the problem for now.
Later on you can take your time rolling out a client fix if it's required, but a hotfix server-side is entirely possible, there's no excuse keeping this vulnerability possible when it's been made this public(step by step instructions to hack someone's account, with screenshots!) especially since you were contacted privately about it ~3 months ago.
You don't push the fix to the client. They have some notification system ou there that is sending the messages to the client. They just need to stop it from sending these kind of messages. Obviously I can't say how much work is involved in that - but they don't need to push an updated client.