Everyone messes up. Every exploit can be made into an easy to distribute tool. As an industry, the idea is to help the people who make these mistakes fix it as soon as possible so users don't get hurt.
The problem is that the incentive here is for Onity to NOT disclose anything and keep on going like nothing happened. They'll get around to replacing them one day, and it hasn't caused any huge scandal yet, so what the hell right? It can wait! The alternative: a lot of bad press and millions of dollars in hardware fixes. Contrast that with a software fix delivered through the internet, instantly fixing the hole.
Then there's the matter whether Onity seems like a trustworthy company, that would do the right thing. A company whose ONE job is to make electronic locks, but still has an obvious security hole in their system is either 1. really stupid or 2. knows about it and has done nothing. A security whole in a beast like Windows (which main purpose is not security btw) I could understand and sympathize with. A lock is not nearly as complex. Either way I wouldn't trust them to do the right thing.
"Everyone messes up" is fine if your job is creating systems where security is largely a secondary concern. If security is the whole point of your product in the first place, and your product is actually completely insecure, that's not messing up, that's gross incompetence.